Original issue date: June 9, 1998<BR>
Last revised: Nov 9, 1999<BR>
Updated vendor information for Data General.<BR>
<P>A complete revision history is at the end of this file.
<P>The CERT Coordination Center has received a report from Internet
Security Systems regarding a vulnerability in some implementations of
NIS+. The NIS+ service is offered by the rpc.nisd program on many
systems.
<P>We recommend installing a vendor patch as soon as possible. Until
you are able to do that, we encourage you to implement applicable
workarounds as described in <A HREF="#III">section III</A>.
<P>We will update this advisory as we receive additional information.
Please check our advisory files regularly for updates that relate to
your site.
<P><HR>
<P>
<H1>I. Description</H1>
<P>NIS+ and NIS are designed to assist in the administration of
networks by providing centralized management and distribution of
information about users, machines, and other resources on the
network. NIS+ is a replacement for NIS. A buffer overflow exists in
some versions of NIS+. At this time, we do not believe any versions of
NIS are vulnerable to this buffer overflow. Note that this
vulnerability exists independently of the security level at which the
NIS+ server is running.
<P>
<H1>II. Impact</H1>
<P>Depending on the configuration of the target machine, a remote
intruder can gain root access to a vulnerable system or cause the NIS+
server to crash, which will affect the usability of any system which
depends on NIS+.
<P>Additionally, if your NIS+ server is running in NIS compatibility
mode and if an intruder is able to crash the NIS+ server, the intruder
may be able to masquerade as an NIS server and gain access to machines
that depend on NIS for authentication.
<P>Finally, if an intruder is able to crash an NIS+ server and there
are clients on the local network that are initialized by broadcast, an
intruder may be able to provide false initialization information to
the NIS+ clients. Clients that are initialized by hostname may also be
vulnerable under some circumstances.
<P>
<A NAME="III"></A>
<H1>III. Solution</H1>
<P>
<OL>
<H3><LI TYPE="A">Obtain and install a patch from your vendor. </H3>
<P><A HREF="#AppA">Appendix A</A> contains input from vendors who have
provided information for this advisory. We will update the appendix as
we receive more information. If you do not see your vendor's name, the
CERT/CC did not hear from that vendor. Please contact your vendor
directly.
<P>
<H3><LI>Until you are able to install the appropriate patch, we recommend the following workaround. </H3>
<P><OL><LI>As with any software, particularly network services,
if you do not depend on NIS+, we encourage you to disable
it.
</OL>
<P>
<H3><LI>If you must operate with an unpatched version of NIS+, the risk may be mitigated using the following strategies.</H3>
<P><OL><LI>Limit external access to your portmapper by blocking access
to port 111 at your firewall or router. Additionally, if
you have not already done so, apply the patches referenced
in VB-97.03, available at
<P><A HREF="ftp://ftp.cert.org/pub/cert_bulletins/VB-97.03.sun">ftp://ftp.cert.org/pub/cert_bulletins/VB-97.03.sun</A>
<P>
Note that restricting access to the portmapper does not
necessarily prevent an intruder from connecting directly
to the port on which NIS+ is running. For this and other
reasons we recommend that any port that is not explicitly
required be blocked at your router or firewall.
<P><LI>Configure your system to mark the stack as non-executable.
For example, on Solaris systems running on sun4m, sun4d
and sun4u platforms, the variable noexec_user_stack in the
/etc/system file can be used to mark the stack as
non-executable by default. While this will prevent an
intruder from gaining root access, it will not prevent an
intruder from crashing the NIS+ server. For more
information on the noexec_user_stack variable, see
<P><A HREF="http://docs.sun.com:80/ab2/coll.47.4/SYSADMIN1/@Ab2PageView/91907?DwebQuery=executable+stacks">http://docs.sun.com:80/ab2/coll.47.4/SYSADMIN1/@Ab2PageView/91907?DwebQuery=executable+stacks</A>
<P>
Marking the stack as non-executable is highly dependent on
hardware and software configurations. For information on
marking the stack as non-executable on other platforms,
consult your vendor or operating systems manuals.
<P><LI>Initialize newly installed NIS+ clients using a method that
does not rely on unauthenticated network information. For
example, on Solaris systems you can copy the
/var/nis/NIS_COLD_START file from an already existing NIS+
client, and use that file as input to the nisinit command.
</OL></OL>
<P><HR>
<P>
<A NAME="AppA"></A>
<H1>Appendix A - Vendor Information</H1>
<P>Below is a list of the vendors who have provided information for this
advisory. We will update this appendix as we receive additional information.
If you do not see your vendor's name, the CERT/CC did not hear from that
vendor. Please contact the vendor directly.
<P>
<H4>Data General</H4>
<P><PRE>
Data General is not vulnerable to this problem.
</PRE>
<P>
<H4>Digital Equipment Corporation</H4>
<P><PRE>
This problem is not present for Digital's ULTRIX or Digital UNIX
Operating Systems Software.
</PRE>
<P>
<H4>FreeBSD, Inc. </H4>
<P><PRE>
FreeBSD is not vulnerable.
</PRE>
<H4>Fujitsu</H4>
<P><PRE>
UXP/V V10L20, the current version of the UNIX-based operating system running
on the Fujitsu VPP Series supercomputers, is vulnerable. Fujitsu is currently
working on a patch for UXP/V V10L20.
UXP/V V10L10, the version that preceded V10L20, is not vulnerable.
</PRE>
<P>
<H4>Hewlett-Packard Company</H4>
<P><PRE>
HP-UX is Vulnerable. Patches in process.
</PRE>
<P>
<H4>IBM Corporation </H4>
<P><PRE>
AIX is not vulnerable.
</PRE>
<P>
<H4>NEC Corporation</H4>
<P><PRE>
Some NEC systems are vulnerable. Patches are in progress and will be
available from ftp://ftp.meshnet.or.jp/pub/48pub/security.
</PRE>
<P>
<H4>The NetBSD Project</H4>
<P><PRE>
NetBSD is not vulnerable.
</PRE>
<P>
<H4>OpenBSD</H4>
<P><PRE>
OpenBSD is not vulnerable.
</PRE>
<P>
<H4>The Santa Cruz Operation, Inc.</H4>
<P><PRE>
No SCO products are vulnerable.
</PRE>
<P>
<H4>Sun Microsystems, Inc. </H4>
<P><PRE>
Patches were released for Solaris 5.4, 5.5, 5.5.1, and 5.6.
The patch numbers are as follows.
5.4 sparc 101973-35
5.4 intel 101974-35
5.5 sparc 103187-38
5.5 intel 103188-38
5.5.1 sparc 103612-41
5.5.1 intel 103613-41
5.6 sparc 105401-12
5.6 intel 105402-12
Sun estimates that a patch for SunOS 5.3 will be available in about 12
weeks. The expected patch number is 101318-91.
</PRE>
<P><HR>
<P>We wish to thank Josh Daymont of ISS who reported the vulnerability
and provided technical assistance.
<p><!--#include virtual="/include/footer_nocopyright.html" --> </p>
<p>Copyright 1998 Carnegie Mellon University.</p>
<HR>
Revision History
<PRE>
July 22, 1999 Added vendor information for Fujitsu.<P>
Nov 9, 1999 Updated vendor information for Data General.<P>
</PRE>
|