MANAGER {IRM} AND AUTOMATED DATA PROCESSOR {ADP} COORDINATORS
U-1,311/DS-SIM
SUBJ:  NEXTSTEP NETINFO CONFIGURATION VULNERABILITY {AUTOMATED
SYSTEMS SECURITY INCIDENT SUPPORT TEAM {ASSIST} 92-54}
1.  ASSIST HAS LEARNED OF A CONFIGURATION VULNERABILITY IN
RELEASE 2 OF THE NEXTSTEP OPERATING SYSTEM FOR NEXT COMPUTERS. 
BECAUSE A NETINFO SERVER PROCESS WILL BY DEFAULT ALLOW
UNRESTRICTED ACCESS TO SYSTEM DATABASES, REMOTE USERS CAN GAIN
UNAUTHORIZED ACCESS TO THE NETWORK'S ADMINISTRATIVE INFORMATION. 
FOR EXAMPLE, IF A NEXT COMPUTER {OR LAN} GRANTS EXTERNAL ACCESS
TO OTHER TCP/IP NETWORKS, INFORMATION ABOUT HOSTS AND USERS IN
NETINFO CAN BE USED BY REMOTE ATTACKERS TO COMPROMISE THE
SECURITY OF THE LOCAL NETWORK AND HOSTS CONNECTING TO IT.  FOR
EXAMPLE, AN UNAUTHORIZED USER CAN ALSO REMOTELY OBTAIN THE
NETINFO PASSWORD DATABASE {NETINFO /USERS DIRECTORY} IF DEFAULT  
SETTINGS ARE NOT CHANGED AS DESCRIBED BELOW.  NEXT COMPUTERS INC.
RECOMMENDS THAT EACH DOMAIN THAT STORES USER PASSWORDS BE
PROTECTED AGAINST OUTSIDE ACCESS.  TO ACCOMPLISH THIS, ENSURE
THAT THE TRUSTED{UNDERSCORE SIGN}NETWORKS PROPERTY OF EACH
NETINFO DOMAIN'S ROOT NETINFO DIRECTORY IS SET CORRECTLY, SO THAT
ONLY SYSTEMS TRUSTED TO OBTAIN INFORMATION FROM NETINFO ARE
GRANTED ACCESS.  THE VALUE FOR THE TRUSTED{UNDERSCORE
SIGN}NETWORKS PROPERTY SHOULD BE THE NETWORK ADDRESS {SEE STEP 7
BELOW} OF THE NETWORKS THE SERVER SHOULD TRUST. 
2.  RECOMMENDATION:  SYSTEM ADMINISTRATORS SHOULD CONSULT CHAPTER
16, "SECURITY," OF THE "NEXT NETWORK AND SYSTEM ADMINISTRATION"
MANUAL FOR RELEASE 2 FOR DETAILED PROCEDURES CONCERNING SETTING
THE TRUSTED{UNDERSCORE SIGN}NETWORKS PROPERTY OF THE ROOT NETINFO
DIRECTORY.  THE FOLLOWING WILL, HOWEVER, PROVIDE A BRIEF OVERVIEW
OF THESE PROCEDURES FOR NEXT ADMINISTRATORS ALREADY FAMILIAR WITH
THESE PROCEDURES {NOTE: MUST BE PERFORMED WITH ROOT PRIVILEGE}: 
    A.  WITH NETINFOMANAGER, OPEN THE DOMAIN TO BE PROTECTED. 
CLICK THE ROOT DIRECTORY. 
    B.  CHOOSE OPEN DIRECTORY FROM THE DIRECTORY MENU. 
    C.  CLICK "MASTER" IN THE PROPERTIES COLUMN 
    D.  CHOOSE APPEND PROPERTY.  NOTICE THE PROPERTY CALLED 
"NEW{UNDERSCORE SIGN}PROPERTY" 
    E.  CLICK THAT PROPERTY.  CHANGE THE TEXT IN THE FIELD AT THE
BOTTOM OF THE WINDOW FROM "NEW{UNDERSCORE SIGN}PROPERTY" TO
"TRUSTED{UNDERSCORE SIGN}NETWORKS."  PRESS {LESS THAN
SIGN}RETURN{GREATER THAN SIGN} TO RECORD THE CHANGE. 
    F.  CHOOSE NEW VALUE FROM THE DIRECTORY MENU.  NOTICE THE
VALUE IN THE VALUES COLUMN CALLED "NEW{UNDERSCORE SIGN}VALUE."
    G.  CLICK "NEW{UNDERSCORE SIGN}VALUE" IN THE VALUES COLUMN. 
CHANGE THE TEXT IN THE  FIELD AT THE BOTTOM OF THE WINDOW FROM
"NEW{UNDERSCORE SIGN}VALUE" TO YOUR NETWORK ADDRESS.  THIS IS THE
SECTION OF THE INTERNET ADDRESS WHICH BELONGS TO THE NETWORK. 
ENTER THE NUMBER ASSIGNED TO YOU FROM THE NIC OR CORPORATE NETWORK
MANAGER.  DO NOT INCLUDE A TRAILING PERIOD IN THE NETWORK NUMBER. 
PRESS RETURN TO RECORD THE CHANGE. 
    H.  SAVE THE DIRECTORY BY CHOOSING SAVE IN THE DIRECTORY MENU. 
WARNING: IF YOU INCORRECTLY ENTER THIS NUMBER, IT MAY RESULT IN
LEGITIMATE MACHINES BEING UNABLE TO BOOT OR READ ADMINISTRATIVE
INFORMATION.  IMPROPERLY SETTING TRUSTED{UNDERSCORE SIGN}NETWORKS
CAN RENDER YOUR NETWORK UNUSABLE.  
3.  POINT OF CONTACT: ASSIST POINT OF CONTACT FOR THIS MATTER IS
MIKE HIGGINS, COMM {202} 373-8852/55 OR DSN 243-8852/55.  ASSIST
CAN BE REACHED 24 HOURS PER DAY, COMMERCIAL PAGER {800} SKY-PAGE,
PIN NUMBER 2133937 {FROM A TOUCH TONE PHONE ENTER THE CALL BACK
NUMBER AFTER THE PROMPT} OR AUTOVON DIAL 243-8000 AND ASK TO HAVE
THE ASSIST DUTY OFFICER PAGED.  ASSIST CAN BE REACHED VIA E-MAIL
AT "DOD-CERT{AT-SIGN}DDN-CONUS.DDN.MIL."