COMMAND

    NIS

SYSTEMS AFFECTED

    - 1.4.x: All versions prior to 1.4.3 (fix will be in 1.4.3)
    - 1.5_ALPHA: prior to June 30, 2000 (fix will be in 1.5)
    - current: prior to June 30, 2000

PROBLEM

    Following is based on a  NetBSD Security Advisory 2000-012.   This
    vulnerability  applies  only  if  the  node  uses NIS for hostname
    lookups (the default NetBSD configuration is not vulnerable)

    NIS client  nodes may  be vulnerable  to a  remote buffer overflow
    attack.   If  the  node  is  configured  to  use  NIS for hostname
    lookups, and a rogue NIS server  is in a position to respond  to a
    hostname lookup request, a malformed response could cause a denial
    of service  due to  abnormal program  termination.   In the  worst
    case, an account could be hijacked.

    The default installation of NetBSD  is not vulnerable, as the  NIS
    client  daemons  are  not  started  by  default,  and  the default
    /etc/nsswitch.conf file does not use NIS for hostname lookups.

    The NIS hostname  lookup code (in  src/lib/libc/net/gethnamaddr.c,
    in the _yphostent()  function) uses a  statically-allocated buffer
    to hold  IPv4 addresses  obtained from  the lookup.   The original
    version failed to bounds check writes into the buffer.

    If a rogue NIS server injects a lookup result with a large number
    of matches, the NIS hostname lookup code could overrun the buffer.

    The attack is not likely to be effective in practice on  otherwise
    well-configured systems.  However,  NIS does not include  any form
    of  authentication,  and  NIS  clients  generally trust NIS server
    data, and  a rogue  server could  introduce bogus  passwd or group
    entries which may also allow for a remote compromise of a  system;
    NIS should generally  only be used  when the network  is separated
    from the greater Internet by some sort of firewall.

SOLUTION

    The default installation  of NetBSD is  not vulnerable.   To check
    if  your  node  is  vulnerable  or  not, check the "hosts" line in
    /etc/nsswitch.conf.  It the line has "nis" on it, your node may be
    vulnerable.

    Note that if either of the "passwd" or "group" lines have "nis" in
    them, or if the passwd or group files have an entry for `+',  your
    system is using NIS for user and/or group lookup and should not be
    directly connected to the Internet.

    To  correct  this  problem,  take  one  or  more  of the following
    actions:

        1. Turn  NIS  hostname  lookup  off,  if appropriate for  your
           installation.  (Edit  /etc/nsswitch.conf, and remove  "nis"
           from the "hosts" line)
        2. Upgrade to  a more recent  version of NetBSD.   If you  are
           using NetBSD prior to 1.4.3,  it would be a good  chance to
           upgrade.
        3. Apply the following patch to your source tree:

           ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/20000808-nis

           Then rebuild and reinstall libc, and rebuild and  reinstall
           all statically linked binaries.

    Systems running releases older than NetBSD 1.4 should be  upgraded
    to NetBSD 1.4.2 before applying the fixes described here.

    Systems running  NetBSD-current dated  from before  July 30,  2000
    should be upgraded to NetBSD-current dated July 30, 2000 or later.

    Systems running  NetBSD-release dated  from before  August 4, 2000
    should  be  upgraded  to  NetBSD-release  dated  August 4, 2000 or
    later.