Security readout for executives and security teams
Plain-English summary
This finding flags that legacy rsh and rlogin remote-access services are running on a host. These 1980s-era utilities transmit usernames, passwords, and session data in cleartext and rely on weak trust models, meaning anyone who can observe network traffic or spoof a trusted source can read credentials or gain access. Modern security baselines treat their presence as a configuration weakness that should be replaced by SSH.
Executive priority
Treat as a hygiene and compliance priority rather than an emergency. There is no evidence of active mass exploitation, but running r-services signals unmanaged legacy systems and typically fails PCI, HIPAA, and CIS benchmarks. Schedule remediation in the next maintenance window and include in configuration standards moving forward.
Technical view
CVE-1999-0651 is an informational entry describing the exposure of Berkeley r-services (rshd on TCP/514, rlogind on TCP/513). These daemons authenticate using .rhosts and hosts.equiv trust files and IP/hostname assertions, with no encryption of the channel. Consequences include credential disclosure via passive sniffing, session hijacking, and unauthorized shell access when trust files are permissive or source addresses can be spoofed. The CVE record does not name a specific vendor, product, version, CWE, or CVSS score, and it is not on CISA KEV.
Likely exposure
Exposure is highest on legacy Unix, HP-UX, AIX, Solaris, or embedded appliances where r-services were historically enabled by default. Internet-facing exposure is rare today; internal segments, lab networks, industrial systems, and forgotten hosts are the more common footprint. Any host listening on TCP/513 or TCP/514 with r-services enabled should be considered exposed to eavesdropping and trust abuse from adjacent networks.
Exploitation context
Not listed in CISA KEV and no active-exploitation citation is present in the source bundle. However, the underlying weaknesses (cleartext credentials and trust-file authentication) have been well understood and abused for decades, and continue to be flagged by common vulnerability scanners such as Nessus and OpenVAS as a hygiene issue rather than a remote code execution bug.
Researcher notes
This CVE is one of the original informational entries with no CVSS, CWE, or vendor mapping. It effectively documents a policy violation: any host running r-services. Pair the finding with related entries such as CVE-1999-0651-adjacent rexec (CVE-1999-0618) and cleartext-protocol advisories. Confirm whether the service is bound to all interfaces or restricted, and enumerate trust files to gauge blast radius.
Mitigation direction
- Disable rshd and rlogind and remove the rsh/rlogin packages from all servers.
- Replace remote shell and login workflows with SSH using key-based authentication.
- Block TCP/513 and TCP/514 at host firewalls and network perimeters.
- Audit and remove .rhosts and hosts.equiv files on all Unix systems.
- Consult vendor hardening guides for platform-specific removal steps.
Validation and detection
- Scan the environment for open TCP/513 and TCP/514 listeners.
- Review inetd, xinetd, and systemd unit files for rshd and rlogind entries.
- Confirm rsh, rlogin, and rexec packages are uninstalled on target hosts.
- Verify SSH is the only authorized interactive remote-access service in configuration baselines.
- Re-run the vulnerability scan to confirm the finding has cleared.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CVE-1999-0651 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Unknown
- CVSS
- Not scored
- Known Exploited
- No
- Published
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS and timeline data
No CVSS vectors or timeline events were available in the normalized CVE source material.
Source materials
- CVE List V5 sourceCVE List V5
- https://exchange.xforce.ibmcloud.com/vulnerabilities/2995CVE reference · x_refsource_MISC
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
