| VID |
17070 |
| Severity |
30 |
| Port |
1023 |
| Protocol |
UDP |
| Class |
RPC |
| Detailed Description |
The target host running NIS allows any user to obtain copies of the NIS maps. If the domain name can be guessed, then the NIS server can be used to acquire password files. A remote attacker can attempt to guess passwords for the system using the obtained NIS password map information.
* Note: This check attempts to fetch the remote NIS 'group.byname' map from a host running NIS.
* References:
http://www.cert.org/advisories/CA-1992-13.html
http://www.cert.org/advisories/CA-1993-01.html
* Platforms Affected:
Unix Any version |
| Recommendation |
Choose a hard to guess NIS domain name and use strong password techniques:
- The NIS domain name should be something hard to guess. If it can be guessed using brute force methods, then change the NIS domain name.
- In the event that an attacker successfully obtains the password file, the passwords should be hard to guess. The crack utility and password shadowing help correct this weakness, but NIS/YP (Yellow Pages) transfers include encrypted passwords even if they are shadowed and unreadable on the server. The intruder can decode them at leisure using brute force methods.
-- AND --
Several vendors have added access control to their NIS implementation. Check your system documentation or the vendor's patch list. The control file is sometimes called securenets.
For SunOS 4.1, 4.1.1, and 4.1.2:
Apply the Sun Patch ID 100482-08, available from the Sun Microsystems, Inc. Web site, Sun patches at http://sunsolve.sun.com/
This patch enables "ypserv" to use the file /var/yp/securenets and, if present, only responds to IP addresses in the range given. This file is only read when the daemon starts. To get a change in /var/yp/securenets to take effect, one must kill and restart the daemons.
The format of the file is one of more lines of:
netmask netaddr
e.g.:
255.255.0.0 128.30.0.0
255.255.255.0 128.311.10.0
In the example above, the netmask is 255.255.255.0 and the network address is 128.311.10.0 . This setup will only allow the ypserv to respond to those IP addresses which are within the subnet 128.311.10 range.
As a workaround, consider the following suggestions:
Run a portmapper with access control. Or block port 111 (portmap) on your network gateway, making attacks on NIS and NFS mount daemons much harder. |
| Related URL |
CVE-1999-0521 (CVE) |
| Related URL |
0044 (SecurityFocus) |
| Related URL |
32,85,87 (ISS) |
|
