1. Home
  2. Network Vulnerabilities
  3. How to remediate – Finger Service Remote Information Disclosure
Searching...

How to remediate – Finger Service Remote Information Disclosure

Contents

1. Introduction

The Finger Service Remote Information Disclosure vulnerability allows an attacker to obtain information about users logged into a remote system. This can aid reconnaissance, potentially leading to further attacks. Systems running the ‘finger’ service are affected, typically Linux and Unix-based servers. A successful exploit could compromise confidentiality by revealing usernames and login times.

2. Technical Explanation

The vulnerability occurs because the ‘finger’ service provides detailed information about users on a system without strong authentication. An attacker can query the service to enumerate valid usernames, determine active users, and see when they last logged in. This is documented under CVE-1999-0612. For example, an attacker could use the `finger` command from a remote machine to gather user details on the target server.

  • Root cause: The ‘finger’ service runs with minimal security checks and exposes user information by design.
  • Exploit mechanism: An attacker sends a query to the finger service on port 79, receiving a response containing user data.
  • Scope: Linux and Unix systems running the ‘finger’ service are affected.

3. Detection and Assessment

You can confirm if a system is vulnerable by checking for the presence of the ‘finger’ service and its listening port. A thorough method involves attempting to query the service remotely.

  • Quick checks: Use `netstat -tulnp | grep finger` or `ss -tulnp | grep finger` to check if the service is running on port 79.
  • Scanning: Nessus plugin ID 23864 can detect exposed Finger services. This is an example only.
  • Logs and evidence: Check system logs for connections to port 79, indicating potential queries to the finger service.
netstat -tulnp | grep finger

4. Solution / Remediation Steps

The following steps disable the ‘finger’ service to prevent information disclosure. These are small, testable actions with a clear rollback plan.

4.1 Preparation

  • Dependencies: None. Roll back by restoring the original /etc/inetd.conf and restarting the inetd service.
  • Change window: This change requires a brief service interruption. Approval may be needed depending on your organization’s policies.

4.2 Implementation

  1. Step 1: Comment out the ‘finger’ line in /etc/inetd.conf by adding a ‘#’ at the beginning of the line.
  2. Step 2: Save the changes to /etc/inetd.conf.
  3. Step 3: Restart the inetd process using `systemctl restart inetd` or `/etc/init.d/inetd restart`.

4.3 Config or Code Example

Before

finger stream tcp nowait root /usr/sbin/tcpd finger

After

#finger stream tcp nowait root /usr/sbin/tcpd finger

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help prevent this type of vulnerability. Least privilege limits the impact if exploited, and disabling unnecessary services reduces the attack surface.

  • Practice 1: Least privilege – run services with minimal necessary permissions.
  • Practice 2: Disable unused services – remove or disable any service that is not required for business operations.

4.5 Automation (Optional)

#!/bin/bash
# Backup inetd.conf
cp /etc/inetd.conf /etc/inetd.conf.bak
# Comment out finger line
sed -i 's/^finger stream tcp nowait root /usr/sbin/tcpd finger/#finger stream tcp nowait root /usr/sbin/tcpd finger/' /etc/inetd.conf
# Restart inetd service
systemctl restart inetd

5. Verification / Validation

Confirm the fix by checking that the ‘finger’ service is no longer listening on port 79 and attempting to query it remotely. A smoke test verifies basic system functionality remains intact.

  • Post-fix check: Run `netstat -tulnp | grep finger` or `ss -tulnp | grep finger`. No output should be returned.
  • Re-test: Repeat the detection method from section 3, confirming that the service is no longer exposed.
  • Smoke test: Verify basic network connectivity (ping) and SSH access to the server.
  • Monitoring: Monitor system logs for any attempts to connect to port 79.
netstat -tulnp | grep finger

6. Preventive Measures and Monitoring

Regular security baselines and vulnerability scanning can prevent this issue. Patch management ensures systems are up-to-date with the latest security fixes.

  • Baselines: Update your system baseline to disable unnecessary services like ‘finger’.
  • Asset and patch process: Implement a regular patch review cycle for all systems.

7. Risks, Side Effects, and Roll Back

Disabling the ‘finger’ service may impact applications relying on it (rare). The rollback plan restores the original configuration file.

  • Risk or side effect 1: Applications that depend on the finger service will be affected.
  • Risk or side effect 2: None known.
  • Roll back: Restore /etc/inetd.conf from the backup created in step 4.1 and restart the inetd service.

8. References and Resources

  • Vendor advisory or bulletin: N/A
  • NVD or CVE entry: CVE-1999-0612
  • Product or platform documentation relevant to the fix: N/A
Updated on December 27, 2025

Was this article helpful?

Yes No

Related Articles