Note: This is an archival copy of Security Sun Alert 201581 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001186.1.
Article ID : 1001186.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2005-04-28
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

NIS+ Client Users May Be Able to Cause a Denial of NIS+ Service

Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 7 Operating System
Solaris 8 Operating System

Bug Id
5109439

Date of Resolved Release
04-MAY-2005

Impact

Remote unprivileged users on NIS+ client systems may be able to disable the NIS+ service daemon, rpc.nisd(1M) which runs on NIS+ servers and implements the NIS+ service. By disabling the rcp.nisd(1M), the NIS+ service will be unavailable which is a type of denial of service. If a NIS+ server is configured as a client as well then local unprivileged users on that NIS+ server may be able to disable rpc.nisd(1M). It is also possible that a poorly written client application could similarly cause the denial of service.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 7 without patches 106938-09 and 106942-29
  • Solaris 8 without patch 108993-45
  • Solaris 9 without patch 113319-22

x86 Platform

  • Solaris 7 without patches 106939-09 and 106943-29
  • Solaris 8 without patch 108994-45
  • Solaris 9 without patch 113719-16

Notes:

  1. This issue only affects systems that are configured as NIS+ Master or Replica servers.
  2. Solaris 10 is not affected by this issue.

To determine if this is a NIS+ Master or Replica server, the following command can be run: 

    $ pgrep rpc.nisd || echo "This system is not a NIS+ server."

Also check that the rpc.nisd(1M) process is started on the system (otherwise the system does not function as a NIS+ server). The following command will show the running NIS+ service daemon rpc.nisd(1M): 

    # ps -ef |grep rpc.nisd

Symptoms

For Solaris 7 and 8 this can effectively disable the NIS+ service for that server. If the request is repeated, then another server will be disabled until all NIS+ services are disabled. For Solaris 9 the server will consume excessive CPU time executing a tight loop, but the NIS+ service will continue. Should sufficient requests be made the server will effectively become disabled.

This could affect for example, login of a user to a client system, a request to the NIS+ naming service with commands like nisls(1) or getent(1M) or telnet(1) to another system.

In addition, NIS+ servers will be showing continuous high CPU usage. This means that the output of the "ps -efl" command will show a fast increasing number for the used time of the rpc.nisd(1M) process.


Workaround

To temporarily work around the described issue: restart the NIS+ server daemon, then by using snoop(1M), identify the source of the requests and either discontinue or disable it, if possible.


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 7 with patches 106938-09 or later and 106942-29 or later
  • Solaris 8 with patch 108993-45 or later
  • Solaris 9 with patch 113319-22 or later

x86 Platform

  • Solaris 7 with patches 106939-09 or later and 106943-29 or later
  • Solaris 8 with patch 108994-45 or later
  • Solaris 9 with patch 113719-16 or later


Modification History

References
 106938-09

 106942-29

 108993-45

 113319-22

 106939-09

 106943-29

 108994-45

 113719-16



                                                                                                                                                  


Attachments
This solution has no attachment