| VID |
17015 |
| Severity |
20 |
| Port |
111 |
| Protocol |
TCP,UDP |
| Class |
RPC |
| Detailed Description |
Bootparam is running. If a machine is running bootparam, then it is probably a server to diskless clients. An attacker can obtain the domain name from bootparam if they can guess which machines are the client and servers. Since many NIS implementations provide no access control, an attacker can use the domain name to make NIS provide the password file. |
| Recommendation |
Disable bootparamd if it is not required as a server for diskless clients, or patch NIS.
Several vendors have added access control to their NIS implementation. Check your system documentation or the vendor's patch list. The control file is sometimes called securenets.
As a workaround, consider the following suggestions:
- Run a portmapper with access control.
- Block port 111 (portmap) on your network gateway. This makes attacks on NIS and NFS mount daemons much harder.
- Enforce a policy for choosing passwords by installing an alternative passwd command, for example anlpasswd. Information is available from ftp://ftp.auscert.org.au/pub/mirrors/info.mcs.anl.gov/README.INSTALL.ANLPASSWD, and the anlpasswd program is available from ftp://ftp.auscert.org.au/pub/mirrors/info.mcs.anl.gov/anlpasswd.tar.Z. |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
