****************************************************************************** ------ ----- ----- --- ----- | ----- ---- | | | | | |--- | | | | | | | | | |-- | | | | |-- | | | | | | | | \ | | ----- ---- ----- ----- | \ ----- A D V I S O R Y FA-98.50 ****************************************************************************** Topic: SunOS rpc.nisd Vulnerability Source: CIAC Creation Date: June 16, 1998 Last Updated: To aid in the wide distribution of essential security information, FedCIRC is forwarding the following information from CIAC bulletin I-058. FedCIRC urges you to act on this information as soon as possible. If you have any questions, please contact FedCIRC: Telephone: +1 888 282 0870 Email: fedcirc@fedcirc.gov =======================FORWARDED TEXT STARTS HERE============================ [ For Public Release ] -----BEGIN PGP SIGNED MESSAGE----- __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN SunOS rpc.nisd Vulnerability June 16, 1998 21:00 GMT Number I-058 ______________________________________________________________________________ PROBLEM: Information has been received concerning a vulnerability in the rpc.nisd daemon. PLATFORM: SunOS 5.6, 5.6_x86, 5.5.1, 5.5.1_x86, 5.5, 5.5_x86, 5.4, 5.4_x86 and 5.3 on systems which are NIS+ servers. DAMAGE: This vulnerability may allow local users, as well as remote users to gain root privileges. SOLUTION: It is strongly recommended that affected sites install patches outlined in section 4 immediately. ______________________________________________________________________________ VULNERABILITY Exploit information involving this vulnerability has been made ASSESSMENT: publicly available. ______________________________________________________________________________ [ Start Sun Microsystems Advisory ] ______________________________________________________________________________ Sun Microsystems, Inc. Security Bulletin Bulletin Number: #00170 Date: June 10, 1998 Cross-Ref: CERT CA-98.06 ISS Security Advisory, June 10, 1998 Title: rpc.nisd ______________________________________________________________________________ The information contained in this Security Bulletin is provided "AS IS." Sun makes no warranties of any kind whatsoever with respect to the information contained in this Security Bulletin. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY WARRANTY OF NON- INFRINGEMENT OR IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE HEREBY DISCLAIMED AND EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW. IN NO EVENT WILL SUN MICROSYSTEMS, INC. BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF ANY THEORY OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN THIS SECURITY BULLETIN, EVEN IF SUN MICROSYSTEMS, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. If any of the above provisions are held to be in violation of applicable law, void, or unenforceable in any jurisdiction, then such provisions are waived to the extent necessary for this disclaimer to be otherwise enforce- able in such jurisdiction. ______________________________________________________________________________ 1. Bulletins Topics Sun announces the release of patches for Solaris(tm) 2.6, 2.5.1, 2.5 and 2.4 (SunOS(tm) 5.6, 5.5.1, 5.5 and 5.4), which relate to a vulnerability in rpc.nisd. Sun estimates that the release of a patch for Solaris 2.3 (SunOS 5.3) that relates to the same vulnerability will be available within 12 weeks of the date of this bulletin. Sun strongly recommends that you install the patches listed in section 4 immediately on systems running SunOS 5.6, 5.6_x86, 5.5.1, 5.5, and 5.4 which use rpc.nisd. 2. Who is Affected Vulnerable: SunOS 5.6, 5.6_x86, 5.5.1, 5.5.1_x86, 5.5, 5.5_x86, 5.4, 5.4_x86 and 5.3 on systems which are NIS+ servers. Not vulnerable: All other supported versions of SunOS. 3. Understanding the Vulnerability The rpc.nisd daemon is an RPC service that implements the NIS+ service. This daemon must be running on all machines which serve a portion of the NIS+ namespace. A buffer overflow has been discovered in rpc.nisd which could be exploited to gain root access and execute arbitrary commands. 4. List of Patches The following patches are available in relation to the above problem. SunOS Patch ID _____ _________ SunOS 5.6 105401-13 SunOS 5.6_x86 105402-13 SunOS 5.5.1 103612-41 SunOS 5.5.1_x86 103613-41 SunOS 5.5 103187-38 SunOS 5.5_x86 103188-38 SunOS 5.4 101973-35 SunOS 5.4_x86 101974-35 SunOS 5.3 101318-91 (to be released in 12 weeks) ______________________________________________________________________________ Sun acknowledges with thanks CERT/CC and Internet Security Systems, Inc. for their assistance in this matter. ______________________________________________________________________________ APPENDICES A. Patches listed in this bulletin are available to all Sun customers via World Wide Web at: