Source: cve@mitre.org
The rexd service is running, which uses weak authentication that can allow an attacker to execute commands.
The rexd service, a legacy remote execution daemon, suffers from severely weak authentication, enabling attackers to remotely execute arbitrary commands on vulnerable systems. This vulnerability allows for complete system compromise, potentially leading to data breaches, system outages, and lateral movement within the network. Immediate remediation is critical due to the ease of exploitation and the potential for widespread impact.
Step 1: Reconnaissance: The attacker identifies systems running the rexd service (usually on port 512, 513, or 514). This can be done through port scanning or service enumeration.
Step 2: Authentication Bypass: The attacker crafts a malicious request to the rexd service. This request typically includes the target username and the command to be executed.
Step 3: IP Spoofing (if necessary): If the target system uses IP-based access control (e.g., .rhosts or hosts.equiv), the attacker spoofs their source IP address to match a trusted host or a host with a valid user entry.
Step 4: Command Execution: The rexd service, due to its weak authentication, trusts the request and executes the provided command with the privileges of the user running the rexd service (often root or a privileged user). This can include executing shell commands, uploading malware, or modifying system configurations.
Step 5: Post-Exploitation: The attacker can then use the compromised system for further attacks, such as data exfiltration, lateral movement, or denial-of-service attacks.
The root cause lies in the design of the rexd authentication mechanism. It relies on the .rhosts and hosts.equiv files, which trust remote hosts based on IP address and user credentials without strong cryptographic verification. Specifically, rexd trusts the source IP address and the user's username provided in the request. An attacker can spoof the source IP address and provide a valid username (or guess a valid username) to execute commands. The lack of proper authentication and authorization allows attackers to bypass security controls and execute commands with the privileges of the user running the rexd service. This fundamentally flawed design makes the service inherently insecure.
This vulnerability is a favorite of attackers targeting legacy systems. While specific APT groups are not directly linked, the ease of exploitation makes it a common tool for various threat actors. This type of vulnerability is often used in the initial access phase of an attack. Not listed on CISA KEV, but the potential for severe impact warrants high priority.
Network traffic analysis: Look for unusual traffic on ports 512, 513, and 514 (rexd ports).
Log analysis: Examine system logs (e.g., /var/log/auth.log, /var/log/syslog) for suspicious rexd activity, such as failed login attempts or unexpected command executions.
File integrity monitoring: Monitor changes to critical system files, such as .rhosts and hosts.equiv.
Host-based intrusion detection systems (HIDS): Implement HIDS to detect unauthorized command execution or file modifications.
SIEM integration: Correlate network and host-based events to identify potential exploitation attempts.
Disable the rexd service: The most effective remediation is to disable the rexd service if it's not essential. This eliminates the attack surface entirely.
Implement strong authentication: If rexd must be used, replace it with a more secure remote execution service, such as SSH, which uses strong cryptographic authentication.
Remove or secure .rhosts and hosts.equiv: If rexd is used, ensure that .rhosts and hosts.equiv files are not present or are configured securely (e.g., only allowing trusted hosts and users).
Network segmentation: Isolate systems running rexd from the rest of the network to limit the impact of a compromise.
Regular security audits: Conduct regular security audits and penetration testing to identify and address vulnerabilities.
Patching and updates: Ensure that all systems are patched with the latest security updates, even for legacy systems. While a patch for rexd itself is unlikely, patching other related services may mitigate the risk.