Note: This is an archival copy of Security Sun Alert 200989 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000745.1.
Article ID : 1000745.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2004-05-11
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Solaris 9 Patches WITHDRAWN - Security Vulnerability With ypserv(1M) and ypxfrd(1M)

Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System

Bug Id
5022150

Date of Workaround Release
30-APR-2004

Date of Resolved Release
12-MAY-2004

Impact

Solaris 9 systems running as NIS servers containing secure maps and with patches 113579-02 through 113579-05 (for SPARC) or 114342-02 through 114342-05 (for x86) installed may allow local or remote unprivileged users (in an NIS environment) access to secure map information. Secure maps such as "passwd.adjunct.byname" are typically used to store encrypted passwords and other sensitive information and are not viewable to unprivileged users.

Patches 113579-02 through 113579-05 and 114342-02 through 114342-05 have been WITHDRAWN and are no longer available on SunSolve.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 9 with patches 113579-02 through 113579-05 and without patch 113579-06

x86 Platform

  • Solaris 9 with patches 114342-02 through 114342-05 and without patch 114342-06

Note: Solaris 7 and 8 are not affected by this issue.

This issue only affects NIS servers containing secure maps. NIS secure maps are stored on the server as dbm(3UCB) files with YP_SECURE as one of the keys in the database. Standard default secure maps (if they exist on the server) would be: 

    audit_user
group.adjunct.byname
passwd.adjunct.byname

The following script when run as "root" can help in finding secure maps that may be present: 

    #!/bin/bash
for i in `ls -1 /var/yp/*/*.pag | sed -e s/\.pag//`
do
makedbm -u $i | grep YP_SECURE 2>&1 > /dev/null;
if [ $? -eq 0 ]; then
echo $i is a secure map
fi
done

Symptoms

Unprivileged local or remote users may be able to view secure maps using commands such as ypmatch(1) or ypcat(1). For example, if "audit_user" is configured to be a secure map on the NIS server, then the following command can be run by any user on an NIS client system: 

    $ ypcat audit_user

to determine the contents of the map, which is typically visible only to the "root" user.


Workaround

To work around the described issue, back out patches 113579-02 through 113579-05 (for SPARC) or 114342-02 through 114342-05 (for x86). After backing out the patches, NIS services must be stopped and restarted using the following commands: 

    # /usr/lib/netsvc/yp/ypstop
# /usr/lib/netsvc/yp/ypstart

Note: Systems installed with Solaris 9 Update 12/03 and 4/04 cannot back out the affected patches.


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 9 with patch 113579-06 or later

x86 Platform

  • Solaris 9 with patch 114342-06 or later


Modification History
Date: 12-MAY-2004
  • Update Contributing Factors and Resolution sections for patch release
  • Re-release as Resolved


References

113579-06
114342-06




Attachments
This solution has no attachment