Copyright 2024 - CSIM - Asian Institute of Technology

Security Advisories

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
CERT* Advisory CA-98.06
Original issue date: June 09, 1998
Last revised: --
              
Topic: Buffer Overflow in NIS+
- -----------------------------------------------------------------------------

The CERT Coordination Center has received a report from Internet
Security Systems regarding a vulnerability in some implementations of
NIS+. The NIS+ service is offered by the rpc.nisd program on many
systems.

We recommend installing a vendor patch as soon as possible. Until you
are able to do that, we encourage you to implement applicable
workarounds as described in section III.

We will update this advisory as we receive additional information.
Please check our advisory files regularly for updates that relate to
your site.

- -----------------------------------------------------------------------------

I.   Description

     NIS+ and NIS are designed to assist in the administration of
     networks by providing centralized management and distribution of
     information about users, machines, and other resources on the
     network. NIS+ is a replacement for NIS. A buffer overflow exists
     in some versions of NIS+. At this time, we do not believe any
     versions of NIS are vulnerable to this buffer overflow. Note that
     this vulnerability exists independently of the security level at
     which the NIS+ server is running.

II.  Impact

     Depending on the configuration of the target machine, a remote
     intruder can gain root access to a vulnerable system or cause
     the NIS+ server to crash, which will affect the usability of any
     system which depends on NIS+.

     Additionally, if your NIS+ server is running in NIS compatibility
     mode and if an intruder is able to crash the NIS+ server, the
     intruder may be able to masquerade as an NIS server and gain
     access to machines that depend on NIS for authentication.

     Finally, if an intruder is able to crash an NIS+ server and
     there are clients on the local network that are initialized by
     broadcast, an intruder may be able to provide false
     initialization information to the NIS+ clients. Clients that are
     initialized by hostname may also be vulnerable under some
     circumstances.

III. Solution

     A.  Obtain and install a patch from your vendor. 

         Appendix A contains input from vendors who have provided
         information for this advisory. We will update the appendix as
         we receive more information. If you do not see your vendor's
         name, the CERT/CC did not hear from that vendor. Please
         contact your vendor directly.

     B.  Until you are able to install the appropriate patch, we
         recommend the following workaround.  

         1. As with any software, particularly network services, 
            if you do not depend on NIS+, we encourage you to disable
            it.

     C.  If you must operate with an unpatched version of NIS+, the 
         risk may be mitigated using the following strategies.

         1. Limit external access to your portmapper by blocking access
            to port 111 at your firewall or router. Additionally, if
            you have not already done so, apply the patches referenced
            in VB-97.03, available at
 
            ftp://ftp.cert.org/pub/cert_bulletins/VB-97.03.sun
 
            Note that restricting access to the portmapper does not
            necessarily prevent an intruder from connecting directly
            to the port on which NIS+ is running. For this and other
            reasons we recommend that any port that is not explicitly
            required be blocked at your router or firewall.

         2. Configure your system to mark the stack as non-executable.
            For example, on Solaris systems running on sun4m, sun4d
            and sun4u platforms, the variable noexec_user_stack in the
            /etc/system file can be used to mark the stack as
            non-executable by default. While this will prevent an
            intruder from gaining root access, it will not prevent an
            intruder from crashing the NIS+ server. For more
            information on the noexec_user_stack variable, see

            http://docs.sun.com:80/ab2/coll.47.4/SYSADMIN1/@Ab2PageView/
            91907?DwebQuery=executable+stacks
 
            Marking the stack as non-executable is highly dependent on
            hardware and software configurations. For information on
            marking the stack as non-executable on other platforms,
            consult your vendor or operating systems manuals. 
 
         3. Initialize newly installed NIS+ clients using a method that
            does not rely on unauthenticated network information. For
            example, on Solaris systems you can copy the
            /var/nis/NIS_COLD_START file from an already existing NIS+
            client, and use that file as input to the nisinit command.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Appendix A - Vendor Information

Below is a list of the vendors who have provided information for this
advisory. We will update this appendix as we receive additional information.
If you do not see your vendor's name, the CERT/CC did not hear from that
vendor. Please contact the vendor directly.


Data General
- ------------
Data General is investigating. They will provide an update when their
investigation is complete.


Digital Equipment Corporation
- -----------------------------
This problem is not present for Digital's ULTRIX or Digital UNIX
Operating Systems Software.


FreeBSD, Inc.   
- -------------
FreeBSD is not vulnerable.


Hewlett-Packard Company
- -----------------------
HP-UX is Vulnerable. Patches in process.


IBM Corporation 
- ---------------
AIX is not vulnerable.


NEC Corporation
- ---------------
Some NEC systems are vulnerable. Patches are in progress and will be
available from ftp://ftp.meshnet.or.jp/pub/48pub/security.


The NetBSD Project
- ------------------
NetBSD is not vulnerable.


OpenBSD
- -------
OpenBSD is not vulnerable.


The Santa Cruz Operation, Inc.
- ------------------------------
No SCO products are vulnerable.


Sun Microsystems, Inc.  
- ----------------------
Patches were released for Solaris 5.4, 5.5, 5.5.1, and 5.6.

The patch numbers are as follows.

        5.4     sparc   101973-35
        5.4     intel   101974-35
        5.5     sparc   103187-38
        5.5     intel   103188-38
        5.5.1   sparc   103612-41
        5.5.1   intel   103613-41
        5.6     sparc   105401-12
        5.6     intel   105402-12

Sun estimates that a patch for SunOS 5.3 will be available in about 12
weeks. The expected patch number is 101318-91.

- -----------------------------------------------------------------------------
We wish to thank Josh Daymont of ISS who reported the vulnerability
and provided technical assistance. 

- -----------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident Response 
and Security Teams (see http://www.first.org/team-info/).


CERT/CC Contact Information 
- ---------------------------- 
Email    This email address is being protected from spambots. You need JavaScript enabled to view it.

Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)
                and are on call for emergencies during other hours.

Fax      +1 412-268-6989

Postal address
         CERT Coordination Center
         Software Engineering Institute
         Carnegie Mellon University
         Pittsburgh PA 15213-3890
         USA

Using encryption
   We strongly urge you to encrypt sensitive information sent by email. We can
   support a shared DES key or PGP. Contact the CERT/CC for more information. 
   Location of CERT PGP key
         ftp://ftp.cert.org/pub/CERT_PGP.key

Getting security information
   CERT publications and other security information are available from
        http://www.cert.org/
        ftp://ftp.cert.org/pub/

   CERT advisories and bulletins are also posted on the USENET newsgroup
        comp.security.announce 

   To be added to our mailing list for advisories and bulletins, send 
   email to
        This email address is being protected from spambots. You need JavaScript enabled to view it. 
   In the subject line, type 
        SUBSCRIBE  your-email-address 

- ---------------------------------------------------------------------------

Copyright 1998 Carnegie Mellon University. Conditions for use, disclaimers,
and sponsorship information can be found in
http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff .
If you do not have FTP or web access, send mail to This email address is being protected from spambots. You need JavaScript enabled to view it. with
"copyright" in the subject line.
 
*CERT is registered in the U.S. Patent and Trademark Office.

- ---------------------------------------------------------------------------

This file: ftp://ftp.cert.org/pub/cert_advisories/CA-98.06.nisd
           http://www.cert.org/nav/alerts.html



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision history


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNX2Wy3VP+x0t4w7BAQEfzQP+L5Ffb8F0WytM7jpLxbTD3Ft0Yrvv/ZUv
ekltUlT26Q0u2k7llZfXKTiQ0AFFpYULMUl17XFtT2CjBaWvMpttWCBVy2oWdVOZ
xQAJYAMLZdB2jNCJnMSaHZH0v2egyh2qmSKVs4zsNgCmbPIzBOAbq3aJsbA/2zk9
6OUCIItvraM=
=c/k6
-----END PGP SIGNATURE-----
Powered by: MHonArc

Login Form

Search

School of Engineering and technologies     Asian Institute of Technology