COMMAND

    Passwd+/NPasswd

SYSTEMS AFFECTED

    Systems running Passwd+ or NPasswd and possibly similar programs.

PROBLEM

    jack0   <jack0@CORINNE.MAC.EDU>   reported   vulnerability   in
    YP/NIS/NIS+/forced-password-change.

    Passwd+  or  NPasswd  (and  possibly  other  similar programs) are
    programs that have been developed to enable system  administrators
    to force  users to  change their  passwords at  set intervals  and
    check the passwords to  make sure they use  alphanumeric sequences
    as opposed  to common  dictionary names.  Although a  step in  the
    right direction, these packages are not as secure as they seem.

    The problem  lies in  the program  itself. To  really asses blame,
    one can  say it  is sloppy  programming that  causes this problem.
    It is useful  to force a  user to change  their password every  so
    often.  However,  the sequence of  events that is  defaulted to by
    some incarnations of YP/NIS is really horrendus.

        UNIX(r) System V Release 4.0 (good religous site)

        login: priest
        Sorry Passwd has expired
        Change:

    Instead of having  the user enter  their OLD password,  the YP/NIS
    program is asking for the  user to enter the new  password without
    verifying that it is actually the authorized user that is  logging
    in.

SOLUTION

    It seems to be rather old vulnerability, but still "active".   You
    should check  with your  vendor if  there is  any newer version of
    software you use or any patch for this under.