yppasswdd detected
New (3.3.1)
Impact
A vulnerability in yppasswdd could allow a remote
attacker to execute arbitrary commands with root privileges.
Background
NIS is a set of services which provide
centralized account management and system configuration
capabilities for a Unix network. rpc.yppasswdd
is a service which runs as part of NIS to
provide users with the ability to change their passwords.
The Problem
Due to a buffer overflow condition, it is possible for an attacker
to overwrite the stack pointer in yppasswdd, thus
gaining the ability to execute arbitrary commands with root privileges.
The versions of yppasswdd included in Solaris 2.6 and 7
are vulnerable.
Resolution
Disable the yppasswdd service if it is not
needed. This can be done by removing the execute permission
from rpc.yppasswdd as follows:
chmod a-x /usr/lib/netsvc/yp/rpc.yppasswdd
Also kill the currently running rpc.yppasswdd
process as follows:
ps -ef
kill <pid of rpc.yppasswdd>
where <pid of rpc.yppasswdd> is the process ID of the
rpc.yppasswdd process in the output from the
ps command.
The above workaround will deny users the ability to change
their own passwords. If this side-effect is not desired,
then a patch should be applied as soon as one becomes available.
Check SunSolve
regularly for patch information.
Any servers running NIS should also be protected
by a firewall.
Where can I read more about this?
This vulnerability was reported by the
SANS Emergency Incident Handler.