Last revised: September 19, 1997
Attached copyright statement
A complete revision history is at the end of this file.
The CERT Coordination Center has received information concerning a vulnerability in release 2 of NeXTstep's NetInfo default configuration. This vulnerability will be corrected in future versions of NeXTstep.
I. Description
By default, a NetInfo server process will provide information to any machine that requests it.
II. Impact
Remote users can gain unauthorized access to the network's administrative information such as the passwd file.
III. Solution
Ensure that the trusted_networks property of each NetInfo domain's root NetInfo directory is set correctly, so that only those systems which should be obtaining information from NetInfo are granted access. The value for the trusted_networks property should be the network numbers of the networks the server should trust.
Note that improperly setting trusted_networks can render your network unusable.
Consult Chapter 16, "Security", of the NeXT Network and System Administration manual for release 2 for details on setting the trusted_networks property of the root NetInfo directory.
The CERT/CC wishes to thank NeXT Computer, Inc. for their cooperation in documenting and publicizing this security vulnerability.
Copyright 1992 Carnegie Mellon University.
Revision History
September 19,1997 Attached copyright statement