Check or Attack Name: rloginspoof

The rlogin service may allow an attacker masquerading as a user from a trusted host to remotely execute a command through the rlogin service.

TCP sequencing has been detected as predictable. If the TCP sequence is predictable, an attacker can send packets that are forged to appear to come from trusted machines and compromise such services as rsh and rlogin, because their authentication is based on IP addresses. The percentage of guessed sequence numbers increases the likelihood that an attacker could predict the sequence and compromise the system.

Turn off rlogin and other services that authenticate based on IP address. Install patches from your vendor that correct TCP sequence prediction. For Windows NT, apply Service Pack 3 or later, which improves (but does not fully correct) Windows NT's sequence predictability. As a result, the Windows NT machines may continue to report this vulnerability.

Windows: Apply the latest Windows NT 4.0 Service Pack:

1. Open a web browser.
2. Go to http://support.microsoft.com/support/ntserver/Content/ServicePacks/ and follow the directions to download the appropriate service pack for your computer.
3. Find the installation program you downloaded to your computer.
4. Double-click the program icon to start the installation.
5. Follow the installation directions.

Hewlett-Packard: HP-UX 9.0 users can obtain and apply patch ID PHNE_14212 at http://us-support.external.hp.com/. Note: Requires no-cost password to access Patch Database.

CERT Advisory CA-96.21, TCP SYN Flooding and IP Spoofing Attacks, http://www.cert.org/advisories/CA-96.21.tcp_syn_flooding.html

CERT Advisory CA-95.01, IP Spoofing Attacks and Hijacked Terminal Connections, http://www.cert.org/advisories/CA-95.01.IP.spoofing.attacks.and.hijacked.terminal.connections.html