nisd vulnerability
CVE 1999-0008
Impact
A buffer overflow condition in nisd could allow a remote
attacker to crash the server, execute arbitrary commands with root privileges
on the server, or gain access to other machines which depend on the server
for authentication.
Background
NIS+, an upgraded version of NIS, is used to assist in the centralized
management of a network. The NIS+ clients depend upon the NIS+ server
for authentication and configuration information. rpc.nisd
is the NIS+ daemon.
The Problem
rpc.nisd accepts an argument, nis_name,
without specifying a maximum length. This argument is copied onto
a fixed-length buffer, creating a buffer overflow condition which can
be used to crash the server or execute arbitrary commands as root.
Additionally, if the server is running in NIS compatibility mode,
an attacker could crash the server and then gain access to client
machines by masquerading as the server.
Solaris 2.3 through Solaris 2.6, and some versions of HP-UX are
vulnerable if unpatched. Most other operating systems are not
vulnerable. See
CERT Advisory 98.06 for information on your particular operating system.
Resolution
If nisd shows up when you type rpcinfo -p
on the system, then the service is running. The best solution is to
disable it if NIS+ is not being used. On some
versions of Solaris, this can be done by ensuring that the /var/nis
directory is empty, and rebooting the system. If this doesn't work on
your system, contact your vendor.
If NIS+ is used on the system, then install a patch from your vendor.
Where can I read more about this?
More about this vulnerability, including patch information, can be found in
CERT Advisory 98.06 and in the
X-Force advisory.
Solaris users can consult
Sun Security Bulletin 00170.