sadmind daemon vulnerability
The sadmind
daemon is used for distributed system administration operations in the Solstice AdminSuite applications. In its default configuration sadmind
uses a set of clear text Remote Procedure Calls (RPC) to authenticate between two machines.
An attacker can construct RPC packets that allow them to forge a valid client identity and get it validated. Once the sadmind
client has authenticated, the hacker can perform any command on the remote system even with root privileges.
Protecting against sadmind vulnerability
sadmind
is controlled through the file /etc/inetd.conf
as per the following entry:
100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind
In this configuration state sadmind
uses cleartext hostnames and authentication credentials as the security level is default no security level.
There are two ways to deal with this situation:
- Completely disable the
sadmind
in the/etc/inted.conf
- If not required disable the
sadmind
by commenting out thesadmind
line or removing it altogether.#100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind
- Restart inetd:
# /usr/bin/pkill -HUP inetd
- If not required disable the
- Increase the level of security
- Set DES encryption for your authentication mechanism by adding the -S 2 flag to the end of the
sadmind
line ininetd.conf
:100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind -S 2
- Restart inetd:
# /usr/bin/pkill -HUP inetd
- Set DES encryption for your authentication mechanism by adding the -S 2 flag to the end of the