HighCheck or Attack Name: rshspoof
The rsh service is vulnerable. An attacker masquerading as a user from a trusted host can execute a command remotely through the rsh service.
This vulnerability occurs because TCP sequencing has been detected as predictable. If the TCP sequence is predictable, an attacker can send packets that are forged to appear to come from trusted machines and compromise such services as rsh and rlogin, because their authentication is based on IP addresses. The percentage of guessed sequence numbers increases the likelihood that an attacker could predict the sequence and compromise the system.
False Positives: Some patches make sequence prediction more difficult, but still possible. As a result, the host may continue to report this vulnerability.
Turn off rshd and other services that authenticate based on IP address. Comment out the services from the /etc/inetd.conf file by putting a # at the beginning of the line and sending a HUP signal to the inetd (# kill -HUP <inetd.pid>). Install patches from your vendor that correct TCP Sequence Prediction.
CERT Advisory CA-95.01, IP Spoofing Attacks and Hijacked Terminal Connections, http://www.cert.org/ftp/cert_advisories/CA-95:01.IP.spoofing
