CVE-1999-0628 in rwho
Summary
by MITRE
The rwho/rwhod service is running, which exposes machine status and user information.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/16/2026
The rwho/rwhod service represents a significant security vulnerability that has persisted since the late 1990s, fundamentally compromising the confidentiality and integrity of networked systems. This service operates as part of the remote host identification protocol, designed to provide information about remote systems and their users. The vulnerability stems from the service's inherent design flaw that exposes detailed machine status information and user data to any network entity capable of connecting to the service. The rwho service listens on UDP port 513, while rwhod operates on TCP port 513, creating multiple attack vectors for malicious actors seeking to gather intelligence about target systems. This exposure directly violates fundamental security principles by providing unauthorized access to system information that should remain private and protected.
The technical implementation of this vulnerability involves the service's failure to implement proper authentication mechanisms or access controls. When the rwho/rwhod service is active, it broadcasts system information including hostname, user login names, terminal types, and connection times to any client that can establish a network connection. This information disclosure occurs without any form of user verification or privilege checking, making it trivial for attackers to enumerate system details and user activities across networks. The service essentially functions as an open information repository that provides attackers with valuable reconnaissance data for planning subsequent attacks. The vulnerability manifests as a complete lack of input validation and access control enforcement, allowing any remote user to query and receive detailed system information that would normally be restricted to authorized administrators.
The operational impact of this vulnerability extends far beyond simple information disclosure, creating a foundation for more sophisticated attacks within the target network. Attackers can leverage the exposed user information to identify active users, their terminal sessions, and system availability patterns, which enables targeted social engineering campaigns and credential harvesting attempts. The service's exposure creates a persistent threat vector that can be exploited repeatedly without requiring special privileges or complex attack techniques. Network reconnaissance becomes significantly easier when this service is active, as it provides attackers with detailed information about system configurations, user activities, and network topology. This vulnerability directly aligns with attack patterns described in the attack technique matrix under T1018, where adversaries gather information about network topology and system configurations to plan further intrusions.
Security implications of this vulnerability are substantial when considering the broader threat landscape and attack surface it creates. The information exposed by rwho/rwhod includes sensitive details such as user names, terminal information, and system uptime, which can be used to craft targeted phishing campaigns or identify potential weak points in system security. The service's design flaw represents a classic case of insufficient access control and information hiding, where system administrators inadvertently expose critical operational data to unauthorized parties. This vulnerability demonstrates poor security by design principles and violates the principle of least privilege, as it provides information access that should be restricted to authorized personnel only. The exposure creates opportunities for attackers to map network topologies, identify vulnerable systems, and plan coordinated attacks against multiple targets within the same network.
Mitigation strategies for this vulnerability focus on eliminating the service entirely or implementing strict network access controls to prevent unauthorized access. The most effective approach involves disabling the rwho/rwhod service on all systems and ensuring that it cannot be re-enabled without explicit administrative approval and security review. Network administrators should also implement firewall rules to block access to the affected ports and ensure that any remaining instances of the service are properly secured with authentication mechanisms. The remediation process should include comprehensive system audits to identify all instances of the service and verify that appropriate access controls have been implemented. Organizations should also consider implementing network monitoring to detect unauthorized access attempts to the affected service and ensure that security policies prohibit the use of services that expose sensitive system information. This vulnerability highlights the importance of regularly reviewing and disabling unnecessary network services that pose security risks, as outlined in industry best practices for secure system administration and configuration management.