Patch-ID# 100482-02 Keywords: security ypserv ypxfrd maps Synopsis: SunOS 4.1;4.1.1;4.1.2: ypserv sends maps to anyone who guesses domainname Date: 20-May-92 SunOS release: 4.1, 4.1.1, 4.1.2 Unbundled Product: Unbundled Release: Topic: ypserv and ypxfrd security patch NOTE!! Patch 100075-08 or any later revision is a prerequisite for 100482-02. BugId's fixed with this patch: 1036869, 1039839, 1082319, 1082320, 1080353 Architectures for which this patch is available: sun3, sun4 Other patches which conflict with this patch: Obsoleted by: Problem Description: Bug 1036869 Security - ypserv will send maps to anyone who can guess the domainame Bug 1039839 DNS used in conjunction with NIS may generate syslog messages to the console something like : nres_gethostbyaddr: some.name.org != its.correct.IP.addr Bug 1082319 Security - ypserv will send maps to anyone via the portmapper. Bug 1082320 Security - ypxfrd will send maps to anyone. Ypxfrd does not check whether the person transferring the map is root on his machine, when the map is ``secure''. As a consequence, any user can get the password map if the NIS master is running ypxfrd. Bug 1080353 The problem is whenever the primary name server downloads an 'A' record to the secondary system and this 'A' record contains more than 36 IP addresses. It will cause ypserv on the secondary system to dump core. Comments: This patch contains the following fixes: 1. ypserv - for bug 1036869, 1039839 and 1080353. 2. ypxfrd - for bug 1082320. 3. portmap - for bug 1082319. In order to prevent these NIS security problems, all of the above fixes need to work together. Both the "ypserv" and "ypxfrd" patch use a /var/yp/securenets file and, if present, only responds to IP addresses in the range given. This file is only read when the daemons (both ypserv & ypxfrd) start. To get a change in /var/yp/securenets to take effect, one must kill and restart the daemons. Note that for a machine with two Ethernet interfaces (i.e. a gateway machine) the IP addresses of both had to be in /var/yp/securenets. The format of the file is one of more lines of: netmask netaddr e.g. 255.255.0.0 128.30.0.0 255.255.255.0 128.311.10.0 In the 2nd example, the netmask is 255.255.255.0 and the network address is 128.311.10.0 . This setup will only allow the ypserv to respond to those IP addresses which are within the subnet 128.311.10 range. Install: As root and for the correct architecture directory. Please become aware of NIS concepts in general before installing this patch. #save original binaries mv /usr/etc/ypserv /usr/etc/ypserv.orig mv /usr/etc/ypxfrd /usr/etc/ypxfrd.orig mv /usr/etc/portmap /usr/etc/portmap.orig chmod 0400 /usr/etc/ypserv.orig chmod 0400 /usr/etc/ypxfrd.orig chmod 0400 /usr/etc/portmap.orig #copy the new version to /usr/etc cp `arch`/{4.1, 4.1.1, 4.1.2}/ypserv /usr/etc/ypserv cp `arch`/{4.1, 4.1.1, 4.1.2}/ypxfrd /usr/etc/ypxfrd cp `arch`/{4.1, 4.1.1, 4.1.2}/portmap /usr/etc/portmap chown root.staff /usr/etc/ypserv chmod 755 /usr/etc/ypserv chown root.staff /usr/etc/ypxfrd chmod 755 /usr/etc/ypxfrd chown root.staff /usr/etc/portmap chmod 755 /usr/etc/portmap #copy the securenets file to /var/yp cp `arch`/{4.1, 4.1.1, 4.1.2}/securenets /var/yp chown root.staff /var/yp/securenets chmod 644 /var/yp/securenets #edit the securenets file and make the appropriate changes. #reboot the system to invoke the new binaries.