Excessive Finger Information

Summary

Certain finger servers, when queried, will release excess data about accounts on the system including who is currently logged on.

Impact

This excess information could be used as clues for guessing user passwords, determining when the system is idle, and providing indicators when to best attack the system. Many finger servers provide excessive information on users of the system. It may provide a list of users and associated personal information. It also indicates who is logged on. This information can provide the hacker with valuable data to (1) guess poor passwords and (2) determine the optimum time to hack.

Resolution

There are several methods of limiting finger information. If you don't use finger by disabling it in inetd.conf (then restart the inet daemon). If you need finger for your enterprise, you can install tcp wrappers and limit access.

CVE Reference(s):