sadmind daemon vulnerability

The sadmind daemon is used for distributed system administration operations in the Solstice AdminSuite applications. In its default configuration sadmind uses a set of clear text Remote Procedure Calls (RPC) to authenticate between two machines.

An attacker can construct RPC packets that allow them to forge a valid client identity and get it validated. Once the sadmind client has authenticated, the hacker can perform any command on the remote system even with root privileges.

Protecting against sadmind vulnerability

sadmind is controlled through the file /etc/inetd.conf as per the following entry:

100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind

In this configuration state sadmind uses cleartext hostnames and authentication credentials as the security level is default no security level.

There are two ways to deal with this situation:

  1. Completely disable the sadmind in the /etc/inted.conf
    1. If not required disable the sadmind by commenting out the sadmind line or removing it altogether.
      #100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind
    2. Restart inetd:
      # /usr/bin/pkill -HUP inetd
  2. Increase the level of security
    1. Set DES encryption for your authentication mechanism by adding the -S 2 flag to the end of the sadmind line in inetd.conf:
      100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind -S 2
    2. Restart inetd:
      # /usr/bin/pkill -HUP inetd