• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Multiple Vendor NIS+ Buffer Overflow Vulnerability

Severity: CRITICAL

Description:

NIS+ and NIS are designed to assist in the administration of networks by providing centralized management and distribution of information about users, machines, and other resources on the network. NIS+ is a replacement for NIS. A buffer overflow exists in some versions of NIS+. At this time, we do not believe any versions of NIS are vulnerable to this buffer overflow. Note that this vulnerability exists independently of the security level at which the NIS+ server is running.

Depending on the configuration of the target machine, a remote intruder can gain root access to a vulnerable system or cause the NIS+ server to crash, which will affect the usability of any system which depends on NIS+.

Additionally, if your NIS+ server is running in NIS compatibility mode and if an intruder is able to crash the NIS+ server, the intruder may be able to masquerade as an NIS server and gain access to machines that depend on NIS for authentication.

Finally, if an intruder is able to crash an NIS+ server and there are clients on the local network that are initialized by broadcast, an intruder may be able to provide false initialization information to the NIS+ clients. Clients that are initialized by hostname may also be vulnerable under some circumstances.

The rpc.nisd program is an ONC RPC agent that implements the NIS+ service. Generally, the data sent to an RPC daemon has explicit maximum length, ensuring that it will not overflow buffers of any reasonable size. However, one NIS+ argument: nis_name, has no specific maximum length. In this case the max length defaults to an unsafe value. Because NIS+ copies this argument onto fixed length buffers in the stack, an attacker can corrupt the stack and cause the daemon to execute arbitrary machine code.

Affected Products:

• HP HP-UX 10.34.0
• HP HP-UX 11.0.0
• Sun Solaris 2.3.0
• Sun Solaris 2.4.0
• Sun Solaris 2.4.0_x86
• Sun Solaris 2.5.0
• Sun Solaris 2.5.0_x86
• Sun Solaris 2.5.1
• Sun Solaris 2.5.1_x86
• Sun Solaris 2.6
• Sun Solaris 2.6_x86

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.