-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



CERT Advisory CA-98.06



   Original issue date: June 09, 1998

   Revised Date: July 22, 1999    Added vendor information for Fujitsu.

     _________________________________________________________________

   

   Buffer Overflow in NIS+

     _________________________________________________________________

   

   The CERT Coordination Center has received a report from Internet

   Security Systems regarding a vulnerability in some implementations of

   NIS+. The NIS+ service is offered by the rpc.nisd program on many

   systems.

   

   We recommend installing a vendor patch as soon as possible. Until you

   are able to do that, we encourage you to implement applicable

   workarounds as described in section III.

   

   We will update this advisory as we receive additional information.

   Please check our advisory files regularly for updates that relate to

   your site.

     _________________________________________________________________

   

I. Description



   NIS+ and NIS are designed to assist in the administration of networks

   by providing centralized management and distribution of information

   about users, machines, and other resources on the network. NIS+ is a

   replacement for NIS. A buffer overflow exists in some versions of

   NIS+. At this time, we do not believe any versions of NIS are

   vulnerable to this buffer overflow. Note that this vulnerability

   exists independently of the security level at which the NIS+ server is

   running.

   

II. Impact



   Depending on the configuration of the target machine, a remote

   intruder can gain root access to a vulnerable system or cause the NIS+

   server to crash, which will affect the usability of any system which

   depends on NIS+.

   

   Additionally, if your NIS+ server is running in NIS compatibility mode

   and if an intruder is able to crash the NIS+ server, the intruder may

   be able to masquerade as an NIS server and gain access to machines

   that depend on NIS for authentication.

   

   Finally, if an intruder is able to crash an NIS+ server and there are

   clients on the local network that are initialized by broadcast, an

   intruder may be able to provide false initialization information to

   the NIS+ clients. Clients that are initialized by hostname may also be

   vulnerable under some circumstances.

   

III. Solution



    A. Obtain and install a patch from your vendor.

       Appendix A contains input from vendors who have provided

       information for this advisory. We will update the appendix as we

       receive more information. If you do not see your vendor's name,

       the CERT/CC did not hear from that vendor. Please contact your

       vendor directly.

    B. Until you are able to install the appropriate patch, we recommend

       the following workaround.

       

    1. As with any software, particularly network services, if you do not

       depend on NIS+, we encourage you to disable it.

       

     If you must operate with an unpatched version of NIS+, the risk may

   be mitigated using the following strategies.

   

    1. Limit external access to your portmapper by blocking access to

       port 111 at your firewall or router. Additionally, if you have not

       already done so, apply the patches referenced in VB-97.03,

       available at

       http://ftp.cert.org/pub/cert_bulletins/VB-97.03.sun

       Note that restricting access to the portmapper does not

       necessarily prevent an intruder from connecting directly to the

       port on which NIS+ is running. For this and other reasons we

       recommend that any port that is not explicitly required be blocked

       at your router or firewall.

    2. Configure your system to mark the stack as non-executable. For

       example, on Solaris systems running on sun4m, sun4d and sun4u

       platforms, the variable noexec_user_stack in the /etc/system file

       can be used to mark the stack as non-executable by default. While

       this will prevent an intruder from gaining root access, it will

       not prevent an intruder from crashing the NIS+ server. For more

       information on the noexec_user_stack variable, see

       http://docs.sun.com:80/ab2/coll.47.4/SYSADMIN1/@Ab2PageView/91907?

       DwebQuery=executable+stacks

       Marking the stack as non-executable is highly dependent on

       hardware and software configurations. For information on marking

       the stack as non-executable on other platforms, consult your

       vendor or operating systems manuals.

    3. Initialize newly installed NIS+ clients using a method that does

       not rely on unauthenticated network information. For example, on

       Solaris systems you can copy the /var/nis/NIS_COLD_START file from

       an already existing NIS+ client, and use that file as input to the

       nisinit command.

     _________________________________________________________________

   

Appendix A - Vendor Information



   Below is a list of the vendors who have provided information for this

   advisory. We will update this appendix as we receive additional

   information. If you do not see your vendor's name, the CERT/CC did not

   hear from that vendor. Please contact the vendor directly.

   

Data General



Data General is investigating. They will provide an update when their

investigation is complete.



Digital Equipment Corporation



This problem is not present for Digital's ULTRIX or Digital UNIX

Operating Systems Software.



FreeBSD, Inc.



FreeBSD is not vulnerable.



Fujitsu



UXP/V V10L20, the current version of the UNIX-based operating system running

on the Fujitsu VPP Series supercomputers, is vulnerable. Fujitsu is currently

working on a patch for UXP/V V10L20.



UXP/V V10L10, the version that preceded V10L20, is not vulnerable.



Hewlett-Packard Company



HP-UX is Vulnerable. Patches in process.



IBM Corporation



AIX is not vulnerable.



NEC Corporation



Some NEC systems are vulnerable. Patches are in progress and will be

available from http://ftp.meshnet.or.jp/pub/48pub/security.



The NetBSD Project



NetBSD is not vulnerable.



OpenBSD



OpenBSD is not vulnerable.



The Santa Cruz Operation, Inc.



No SCO products are vulnerable.



Sun Microsystems, Inc.



Patches were released for Solaris 5.4, 5.5, 5.5.1, and 5.6.



The patch numbers are as follows.



        5.4     sparc   101973-35

        5.4     intel   101974-35

        5.5     sparc   103187-38

        5.5     intel   103188-38

        5.5.1   sparc   103612-41

        5.5.1   intel   103613-41

        5.6     sparc   105401-12

        5.6     intel   105402-12



Sun estimates that a patch for SunOS 5.3 will be available in about 12

weeks. The expected patch number is 101318-91.

     _________________________________________________________________

   

   We wish to thank Josh Daymont of ISS who reported the vulnerability

   and provided technical assistance.

   ______________________________________________________________________

   

   This document is available from:

   http://www.cert.org/advisories/CA-98.06.nisd.html.

   ______________________________________________________________________

   

CERT/CC Contact Information



   Email: cert@cert.org

          Phone: +1 412-268-7090 (24-hour hotline)

          Fax: +1 412-268-6989

          Postal address:

          CERT Coordination Center

          Software Engineering Institute

          Carnegie Mellon University

          Pittsburgh PA 15213-3890

          U.S.A.

          

   CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)

   Monday through Friday; they are on call for emergencies during other

   hours, on U.S. holidays, and on weekends.

   

Using encryption



   We strongly urge you to encrypt sensitive information sent by email.

   Our public PGP key is available from http://www.cert.org/CERT_PGP.key.

   If you prefer to use DES, please call the CERT hotline for more

   information.

   

Getting security information



   CERT publications and other security information are available from

   our web site http://www.cert.org/.

   

   To be added to our mailing list for advisories and bulletins, send

   email to cert-advisory-request@cert.org and include SUBSCRIBE

   your-email-address in the subject of your message.

   

   Copyright 1999 Carnegie Mellon University.

   Conditions for use, disclaimers, and sponsorship information can be

   found in http://www.cert.org/legal_stuff.html.

   

   * "CERT" and "CERT Coordination Center" are registered in the U.S.

   Patent and Trademark Office

   ______________________________________________________________________

   

   NO WARRANTY

   Any material furnished by Carnegie Mellon University and the Software

   Engineering Institute is furnished on an "as is" basis. Carnegie

   Mellon University makes no warranties of any kind, either expressed or

   implied as to any matter including, but not limited to, warranty of

   fitness for a particular purpose or merchantability, exclusivity or

   results obtained from use of the material. Carnegie Mellon University

   does not make any warranty of any kind with respect to freedom from

   patent, trademark, or copyright infringement.

   ______________________________________________________________________

   

   Revision history

   July 22, 1999  Added vendor information for Fujitsu.



-----BEGIN PGP SIGNATURE-----

Version: PGP for Personal Privacy 5.0

Charset: noconv



iQA/AwUBOBTBqVr9kb5qlZHQEQLUJwCgvJt3SofgMKaDqXIwUta8zU6aoAQAoK73

djMX4hobWVxIbtan0Z7L3Zn4

=WMU6

-----END PGP SIGNATURE-----