************************************************************************** Security Bulletin 9812 DISA Defense Communications System June 10, 1998 Published by: DISN Security Coordination Center (SCC@NIC.MIL) 1-(800) 365-3642 DEFENSE INFORMATION SYSTEM NETWORK SECURITY BULLETIN The DISN SECURITY BULLETIN is distributed by the DISN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DISN facilities. Back issues may be obtained via FTP from NIC.MIL [207.132.116.5] using login= "anonymous" and password="guest". The bulletin pathname is scc/sec-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/sec-9705.txt). These are also available at our WWW site, http://nic.mil. ************************************************************************** + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Computer ! ! Emergency Response Team (CERT) and is being relayed unedited ! ! via the Defense Information Systems Agency's Security ! ! Coordination Center distribution system as a means of ! ! providing DISN subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ============================================================================= -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= CERT* Advisory CA-98.06 Original issue date: June 09, 1998 Last revised: -- Topic: Buffer Overflow in NIS+ - ----------------------------------------------------------------------------- The CERT Coordination Center has received a report from Internet Security Systems regarding a vulnerability in some implementations of NIS+. The NIS+ service is offered by the rpc.nisd program on many systems. We recommend installing a vendor patch as soon as possible. Until you are able to do that, we encourage you to implement applicable workarounds as described in section III. We will update this advisory as we receive additional information. Please check our advisory files regularly for updates that relate to your site. - ----------------------------------------------------------------------------- I. Description NIS+ and NIS are designed to assist in the administration of networks by providing centralized management and distribution of information about users, machines, and other resources on the network. NIS+ is a replacement for NIS. A buffer overflow exists in some versions of NIS+. At this time, we do not believe any versions of NIS are vulnerable to this buffer overflow. Note that this vulnerability exists independently of the security level at which the NIS+ server is running. II. Impact Depending on the configuration of the target machine, a remote intruder can gain root access to a vulnerable system or cause the NIS+ server to crash, which will affect the usability of any system which depends on NIS+. Additionally, if your NIS+ server is running in NIS compatibility mode and if an intruder is able to crash the NIS+ server, the intruder may be able to masquerade as an NIS server and gain access to machines that depend on NIS for authentication. Finally, if an intruder is able to crash an NIS+ server and there are clients on the local network that are initialized by broadcast, an intruder may be able to provide false initialization information to the NIS+ clients. Clients that are initialized by hostname may also be vulnerable under some circumstances. III. Solution A. Obtain and install a patch from your vendor. Appendix A contains input from vendors who have provided information for this advisory. We will update the appendix as we receive more information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact your vendor directly. B. Until you are able to install the appropriate patch, we recommend the following workaround. 1. As with any software, particularly network services, if you do not depend on NIS+, we encourage you to disable it. C. If you must operate with an unpatched version of NIS+, the risk may be mitigated using the following strategies. 1. Limit external access to your portmapper by blocking access to port 111 at your firewall or router. Additionally, if you have not already done so, apply the patches referenced in VB-97.03, available at ftp://ftp.cert.org/pub/cert_bulletins/VB-97.03.sun Note that restricting access to the portmapper does not necessarily prevent an intruder from connecting directly to the port on which NIS+ is running. For this and other reasons we recommend that any port that is not explicitly required be blocked at your router or firewall. 2. Configure your system to mark the stack as non-executable. For example, on Solaris systems running on sun4m, sun4d and sun4u platforms, the variable noexec_user_stack in the /etc/system file can be used to mark the stack as non-executable by default. While this will prevent an intruder from gaining root access, it will not prevent an intruder from crashing the NIS+ server. For more information on the noexec_user_stack variable, see http://docs.sun.com:80/ab2/coll.47.4/SYSADMIN1/@Ab2PageView/ 91907?DwebQuery=executable+stacks Marking the stack as non-executable is highly dependent on hardware and software configurations. For information on marking the stack as non-executable on other platforms, consult your vendor or operating systems manuals. 3. Initialize newly installed NIS+ clients using a method that does not rely on unauthenticated network information. For example, on Solaris systems you can copy the /var/nis/NIS_COLD_START file from an already existing NIS+ client, and use that file as input to the nisinit command. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Appendix A - Vendor Information Below is a list of the vendors who have provided information for this advisory. We will update this appendix as we receive additional information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact the vendor directly. Data General - ------------ Data General is investigating. They will provide an update when their investigation is complete. Digital Equipment Corporation - ----------------------------- This problem is not present for Digital's ULTRIX or Digital UNIX Operating Systems Software. FreeBSD, Inc. - ------------- FreeBSD is not vulnerable. Hewlett-Packard Company - ----------------------- HP-UX is Vulnerable. Patches in process. IBM Corporation - --------------- AIX is not vulnerable. NEC Corporation - --------------- Some NEC systems are vulnerable. Patches are in progress and will be available from ftp://ftp.meshnet.or.jp/pub/48pub/security. The NetBSD Project - ------------------ NetBSD is not vulnerable. OpenBSD - ------- OpenBSD is not vulnerable. The Santa Cruz Operation, Inc. - ------------------------------ No SCO products are vulnerable. Sun Microsystems, Inc. - ---------------------- Patches were released for Solaris 5.4, 5.5, 5.5.1, and 5.6. The patch numbers are as follows. 5.4 sparc 101973-35 5.4 intel 101974-35 5.5 sparc 103187-38 5.5 intel 103188-38 5.5.1 sparc 103612-41 5.5.1 intel 103613-41 5.6 sparc 105401-12 5.6 intel 105402-12 Sun estimates that a patch for SunOS 5.3 will be available in about 12 weeks. The expected patch number is 101318-91. - ----------------------------------------------------------------------------- We wish to thank Josh Daymont of ISS who reported the vulnerability and provided technical assistance. - ----------------------------------------------------------------------------- If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (see http://www.first.org/team-info/). CERT/CC Contact Information - ---------------------------- Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4) and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA Using encryption We strongly urge you to encrypt sensitive information sent by email. We can support a shared DES key or PGP. Contact the CERT/CC for more information. Location of CERT PGP key ftp://ftp.cert.org/pub/CERT_PGP.key Getting security information CERT publications and other security information are available from http://www.cert.org/ ftp://ftp.cert.org/pub/ CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org In the subject line, type SUBSCRIBE your-email-address - --------------------------------------------------------------------------- Copyright 1998 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff . If you do not have FTP or web access, send mail to cert@cert.org with "copyright" in the subject line. *CERT is registered in the U.S. Patent and Trademark Office. - --------------------------------------------------------------------------- This file: ftp://ftp.cert.org/pub/cert_advisories/CA-98.06.nisd http://www.cert.org/nav/alerts.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision history -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNX2Wy3VP+x0t4w7BAQEfzQP+L5Ffb8F0WytM7jpLxbTD3Ft0Yrvv/ZUv ekltUlT26Q0u2k7llZfXKTiQ0AFFpYULMUl17XFtT2CjBaWvMpttWCBVy2oWdVOZ xQAJYAMLZdB2jNCJnMSaHZH0v2egyh2qmSKVs4zsNgCmbPIzBOAbq3aJsbA/2zk9 6OUCIItvraM= =c/k6 -----END PGP SIGNATURE----- **************************************************************************** * * * The point of contact for NIPRNET security-related incidents is the * * ASSIST: * * * * E-mail address: ASSIST@ASSIST.MIL * * * * Telephone: 1-(800)-357-4231 (24 hours/day) * * * * You may also contact the Security Coordination Center (SCC) at the * * NIC: * * * * E-mail address: SCC@NIC.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * **************************************************************************** PLEASE NOTE: Some users outside of the DOD computing communities may receive DISN Security Bulletins. If you are not part of the DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an service to the DOD community. Neither the United States Government nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government. The opinions of the authors expressed herein do not necessarily state or reflect those of the United States Government, and shall not be used for advertising or product endorsement purposes.