||Home : Advisories : Buffer Overflow in NIS+|
||Buffer Overflow in NIS+
||9th June 1998
-----BEGIN PGP SIGNED MESSAGE-----
CERT Advisory CA-98.06
Original issue date: June 09, 1998
Revised Date: July 22, 1999 Added vendor information for Fujitsu.
Buffer Overflow in NIS+
The CERT Coordination Center has received a report from Internet
Security Systems regarding a vulnerability in some implementations of
NIS+. The NIS+ service is offered by the rpc.nisd program on many
We recommend installing a vendor patch as soon as possible. Until you
are able to do that, we encourage you to implement applicable
workarounds as described in section III.
We will update this advisory as we receive additional information.
Please check our advisory files regularly for updates that relate to
NIS+ and NIS are designed to assist in the administration of networks
by providing centralized management and distribution of information
about users, machines, and other resources on the network. NIS+ is a
replacement for NIS. A buffer overflow exists in some versions of
NIS+. At this time, we do not believe any versions of NIS are
vulnerable to this buffer overflow. Note that this vulnerability
exists independently of the security level at which the NIS+ server is
Depending on the configuration of the target machine, a remote
intruder can gain root access to a vulnerable system or cause the NIS+
server to crash, which will affect the usability of any system which
depends on NIS+.
Additionally, if your NIS+ server is running in NIS compatibility mode
and if an intruder is able to crash the NIS+ server, the intruder may
be able to masquerade as an NIS server and gain access to machines
that depend on NIS for authentication.
Finally, if an intruder is able to crash an NIS+ server and there are
clients on the local network that are initialized by broadcast, an
intruder may be able to provide false initialization information to
the NIS+ clients. Clients that are initialized by hostname may also be
vulnerable under some circumstances.
A. Obtain and install a patch from your vendor.
Appendix A contains input from vendors who have provided
information for this advisory. We will update the appendix as we
receive more information. If you do not see your vendor's name,
the CERT/CC did not hear from that vendor. Please contact your
B. Until you are able to install the appropriate patch, we recommend
the following workaround.
1. As with any software, particularly network services, if you do not
depend on NIS+, we encourage you to disable it.
If you must operate with an unpatched version of NIS+, the risk may
be mitigated using the following strategies.
1. Limit external access to your portmapper by blocking access to
port 111 at your firewall or router. Additionally, if you have not
already done so, apply the patches referenced in VB-97.03,
Note that restricting access to the portmapper does not
necessarily prevent an intruder from connecting directly to the
port on which NIS+ is running. For this and other reasons we
recommend that any port that is not explicitly required be blocked
at your router or firewall.
2. Configure your system to mark the stack as non-executable. For
example, on Solaris systems running on sun4m, sun4d and sun4u
platforms, the variable noexec_user_stack in the /etc/system file
can be used to mark the stack as non-executable by default. While
this will prevent an intruder from gaining root access, it will
not prevent an intruder from crashing the NIS+ server. For more
information on the noexec_user_stack variable, see
Marking the stack as non-executable is highly dependent on
hardware and software configurations. For information on marking
the stack as non-executable on other platforms, consult your
vendor or operating systems manuals.
3. Initialize newly installed NIS+ clients using a method that does
not rely on unauthenticated network information. For example, on
Solaris systems you can copy the /var/nis/NIS_COLD_START file from
an already existing NIS+ client, and use that file as input to the
Appendix A - Vendor Information
Below is a list of the vendors who have provided information for this
advisory. We will update this appendix as we receive additional
information. If you do not see your vendor's name, the CERT/CC did not
hear from that vendor. Please contact the vendor directly.
Data General is investigating. They will provide an update when their
investigation is complete.
Digital Equipment Corporation
This problem is not present for Digital's ULTRIX or Digital UNIX
Operating Systems Software.
FreeBSD is not vulnerable.
UXP/V V10L20, the current version of the UNIX-based operating system running
on the Fujitsu VPP Series supercomputers, is vulnerable. Fujitsu is currently
working on a patch for UXP/V V10L20.
UXP/V V10L10, the version that preceded V10L20, is not vulnerable.
HP-UX is Vulnerable. Patches in process.
AIX is not vulnerable.
Some NEC systems are vulnerable. Patches are in progress and will be
available from http://ftp.meshnet.or.jp/pub/48pub/security.
The NetBSD Project
NetBSD is not vulnerable.
OpenBSD is not vulnerable.
The Santa Cruz Operation, Inc.
No SCO products are vulnerable.
Sun Microsystems, Inc.
Patches were released for Solaris 5.4, 5.5, 5.5.1, and 5.6.
The patch numbers are as follows.
5.4 sparc 101973-35
5.4 intel 101974-35
5.5 sparc 103187-38
5.5 intel 103188-38
5.5.1 sparc 103612-41
5.5.1 intel 103613-41
5.6 sparc 105401-12
5.6 intel 105402-12
Sun estimates that a patch for SunOS 5.3 will be available in about 12
weeks. The expected patch number is 101318-91.
We wish to thank Josh Daymont of ISS who reported the vulnerability
and provided technical assistance.
This document is available from:
CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from http://www.cert.org/CERT_PGP.key.
If you prefer to use DES, please call the CERT hotline for more
Getting security information
CERT publications and other security information are available from
our web site http://www.cert.org/.
To be added to our mailing list for advisories and bulletins, send
email to email@example.com and include SUBSCRIBE
your-email-address in the subject of your message.
Copyright 1999 Carnegie Mellon University.
Conditions for use, disclaimers, and sponsorship information can be
found in http://www.cert.org/legal_stuff.html.
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
July 22, 1999 Added vendor information for Fujitsu.
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
-----END PGP SIGNATURE-----