Korean

<< Back VID 17003 Severity 30 Port 111 Protocol TCP,UDP Class RPC Detailed Description Bootparam is running and it can be obtained the NIS domain name via bootparam. When a diskless client needs to boot, it uses the bootparam protocol to get the necessary information needed from the server. If bootparamd is running one can guess at which is the client and server or use a program such as bootparam_prot.x to determine which is which. If an intruder uses BOOTPARAMPROC_WHOAMI and provides the address of the client, he will get it's NIS domain name back from bootparamd. If you know the NIS domain name, it may be possible to get a copy of the password file. * References: http://www.iss.net/security_center/static/32.php http://www.cert.org/advisories/CA-1992-13.html http://www.cert.org/advisories/CA-1993-01.html Recommendation Disable bootparamd if it is not required as a server for diskless clients, or patch NIS. Several vendors have added access control to their NIS implementation. Check your system documentation or the vendor's patch list. The control file is sometimes called securenets. As a workaround, consider the following suggestions: - Run a portmapper with access control. - Block port 111 (portmap) on your network gateway. This makes attacks on NIS and NFS mount daemons much harder. - Enforce a policy for choosing passwords by installing an alternative passwd command, for example anlpasswd. Information is available from ftp://ftp.auscert.org.au/pub/mirrors/info.mcs.anl.gov/README.INSTALL.ANLPASSWD, and the anlpasswd program is available from ftp://ftp.auscert.org.au/pub/mirrors/info.mcs.anl.gov/anlpasswd.tar.Z Solaris 10, Solaris 11, Enterprise Linux 6.4, CentOS 6.4, Fedora 19: 1. you become a root, and then stop the service like the following: # rpcinfo -d [program num] [version num] 2. comment its entry by putting a # at the beginning of the line with 'bootparamd' in /etc/rpc 3. # pkill -HUP (x)inetd Related URL (CVE) Related URL (SecurityFocus) Related URL (ISS)