This vulnerability allows for remote shell/remote login access from arbitrary hosts.
Impact
The machine can be taken over by any malicious (super) user on the network. In other words, depending on the configuration of the target system, a malicious user will be able to logon to the target without a password. Once the user has gained access, he/she will have access to any number of system programs and/or configuration files. This means, of course, that the user may, for example, gain access to password files, sensitive/classified information stored on the machine and delete/change important configuration information that the machine needs to operate properly. The potential harm that may be done to the compromised machine is almost unlimited.
In addition, there are guest or administrative accounts that might not have passwords protecting the account, which allows anyone to remotely login as that user and gain access to the host.
Resolution
Remove the wildcard (+) from the /etc/hosts.equiv file. Be careful with the use of the -@group netgroup feature, as there are many incorrect implementations. Also, delete or disable any accounts without a password from the system or NIS password file. Another fix is to give system accounts such as bin and daemon a non-functional shell (such as /bin/false) and put them in the /etc/ftpusers file so they cannot use FTP.
Where can I read more about this?
See the Admin Guide to Cracking for an example of why this vulnerability is a problem.