[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : NeXTstep Configuration Vulnerability

Title: NeXTstep Configuration Vulnerability
Released by: CERT
Date: 20th January 1992
Printable version: Click here

Hash: SHA1



Last Revised:  September 19,1997        

                Attached copyright statement

                                CERT Advisory

                              January 20, 1992

                     NeXTstep Configuration Vulnerability

- ---------------------------------------------------------------------------

The Computer Emergency Response Team/Coordination Center (CERT/CC)  

has received information concerning a vulnerability in release 2 of

NeXTstep's NetInfo default configuration.  This vulnerability will

be corrected in future versions of NeXTstep.

- ---------------------------------------------------------------------------

I.   Description

     By default, a NetInfo server process will provide information to

     any machine that requests it.

II.  Impact

     Remote users can gain unauthorized access to the network's

     administrative information such as the passwd file.

III. Solution

     Ensure that the trusted_networks property of each NetInfo domain's

     root NetInfo directory is set correctly, so that only those systems

     which should be obtaining information from NetInfo are granted

     access. The value for the trusted_networks property should be the

     network numbers of the networks the server should trust.

     Note that improperly setting trusted_networks can render your

     network unusable.

     Consult Chapter 16, "Security", of the "NeXT Network and System

     Administration" manual for release 2 for details on setting the

     trusted_networks property of the root NetInfo directory.

- ---------------------------------------------------------------------------

The CERT/CC wishes to thank NeXT Computer, Inc. for their cooperation in

documenting and publicizing this security vulnerability.

- ---------------------------------------------------------------------------

If you believe that your system has been compromised, contact CERT/CC via

telephone or e-mail.

Internet E-mail: cert@cert.org

Telephone: 412-268-7090 (24-hour hotline)

           CERT/CC personnel answer 7:30a.m.-6:00p.m. EST(GMT-5)/EDT(GMT-4),

           on call for emergencies during other hours.

Computer Emergency Response Team/Coordination Center (CERT/CC)

Software Engineering Institute

Carnegie Mellon University

Pittsburgh, PA 15213-3890

Past advisories and other information related to computer security are

available for anonymous ftp from the cert.org ( system.

- ----------------------------------------------------------------------------

Copyright 1992 Carnegie Mellon University. Conditions for use, disclaimers,

and sponsorship information can be found in

http://www.cert.org/legal_stuff.html and http://ftp.cert.org/pub/legal_stuff .

If you do not have FTP or web access, send mail to cert@cert.org with

"copyright" in the subject line.

CERT is registered in the U.S. Patent and Trademark Office.


Revision History:

September 19,1997  Attached Copyright Statement


Version: PGP for Personal Privacy 5.0

Charset: noconv





(C) 1999-2000 All rights reserved.