yppasswdd detected

New (3.3.1)

Impact

A vulnerability in yppasswdd could allow a remote attacker to execute arbitrary commands with root privileges.

Background

NIS is a set of services which provide centralized account management and system configuration capabilities for a Unix network. rpc.yppasswdd is a service which runs as part of NIS to provide users with the ability to change their passwords.

The Problem

Due to a buffer overflow condition, it is possible for an attacker to overwrite the stack pointer in yppasswdd, thus gaining the ability to execute arbitrary commands with root privileges. The versions of yppasswdd included in Solaris 2.6 and 7 are vulnerable.

Resolution

Disable the yppasswdd service if it is not needed. This can be done by removing the execute permission from rpc.yppasswdd as follows:
chmod a-x /usr/lib/netsvc/yp/rpc.yppasswdd
Also kill the currently running rpc.yppasswdd process as follows:
ps -ef
kill <pid of rpc.yppasswdd>
where <pid of rpc.yppasswdd> is the process ID of the rpc.yppasswdd process in the output from the ps command.

The above workaround will deny users the ability to change their own passwords. If this side-effect is not desired, then a patch should be applied as soon as one becomes available. Check SunSolve regularly for patch information. Any servers running NIS should also be protected by a firewall.

Where can I read more about this?

This vulnerability was reported by the SANS Emergency Incident Handler.