Cfingerd contains a flaw that may allow a malicious user to execute arbitrary commands as root, due to a failure of the program to drop privileges and a configuration option that allows command execution. If the ALLOW_EXECUTION option in the cfingerd.conf file is enabled, a user can place and/or compile the program of their choosing in a publicly writeable area of the system, such as /tmp, and then run that file from their ~/.plan file by adding a line such as "$exec /tmp/exploit". This program will be able to obtain root privileges easily though calls to setuid() and setgid(). Abuse of this program can result in a loss of confidentiality and/or integrity.
Upgrade to version 1.4.0 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by disabling the ALLOW_EXECUTION option in the cfingerd.conf file.