Child pages
  • CERT Advisory CA-1992-01 NeXTstep Configuration Vulnerability

Pages in the Historical section of this site are provided for historical purposes, they are no longer maintained. Links may not work.

Skip to end of metadata
Go to start of metadata
Original issue date: January 20, 1992
Last revised: September 19, 1997
Attached copyright statement

A complete revision history is at the end of this file.

The CERT Coordination Center has received information concerning a vulnerability in release 2 of NeXTstep's NetInfo default configuration. This vulnerability will be corrected in future versions of NeXTstep.

I. Description

By default, a NetInfo server process will provide information to any machine that requests it.

II. Impact

Remote users can gain unauthorized access to the network's administrative information such as the passwd file.

III. Solution

Ensure that the trusted_networks property of each NetInfo domain's root NetInfo directory is set correctly, so that only those systems which should be obtaining information from NetInfo are granted access. The value for the trusted_networks property should be the network numbers of the networks the server should trust.

Note that improperly setting trusted_networks can render your network unusable.

Consult Chapter 16, "Security", of the NeXT Network and System Administration manual for release 2 for details on setting the trusted_networks property of the root NetInfo directory.

The CERT/CC wishes to thank NeXT Computer, Inc. for their cooperation in documenting and publicizing this security vulnerability.

Copyright 1992 Carnegie Mellon University.

Revision History
September 19,1997  Attached copyright statement
  • No labels