Overview
A vulnerability in the ypxfrd daemon may allow a local attacker to read arbitrary files on the vulnerable system.
Description
Janusz Niewiadomski, of iSEC, discovered this vulnerability and produced the following advisory. Issue: |
Impact
A local attacker my be able to read any file on the vulnerable system. This may lead to privilege escalation. |
Solution
Apply a patch. |
Vendor Information
IBM Affected
Notified: August 28, 2002 Updated: October 10, 2002
Status
Affected
Vendor Statement
The AIX operating system is vulnerable to the issue detailed above in the advisory. This affects AIX releases 4.3.3 and 5.1.0 An efix package for this issue will be available from the IBM software ftp site by 10/16/2002 at the latest. The package will be located at:
ftp://ftp.software.ibm.com/aix/efixes/security/ypserv_efix.tar.Z
The efix packages can be downloaded via anonymous ftp from ftp.software.ibm.com/aix/efixes/security.
This directory contains a README file that gives further details on the efix packages.
The APARs for this vulnerability are:
AIX 4.3.3: IY34800 ( available approx 10/16/2002 )
AIX 5.1.0: IY34664 ( currently available )
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sun Microsystems Inc. Affected
Updated: October 10, 2002
Status
Affected
Vendor Statement
The Solaris ypxfrd(1M) and ypserv(1M) daemons ares affected by this issue in all currently supported versions of Solaris:
Solaris 2.6, 7, 8, and 9
Patches are being generated for all of the above releases. Sun will be publishing Sun Alert #47903 for this issue shortly. The Sun Alert will be available from:
http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F47903
The patches will be availble from:
http://sunsolve.sun.com/securitypatch
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
The SCO Group (SCO UnixWare) Affected
Notified: August 28, 2002 Updated: September 18, 2002
Status
Affected
Vendor Statement
SCO OpenServer is vulnerable to this issue, and we are currently working on a fix. Caldera OpenLinux is also vulnerable, and a fix is in progress. SCO Open UNIX and SCO UnixWare are not vulnerable.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Apple Computer Inc. Not Affected
Notified: August 28, 2002 Updated: September 03, 2002
Status
Not Affected
Vendor Statement
Mac OS X and Mac OS X Server do not contain the vulnerability described in this report.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Cray Inc. Not Affected
Notified: August 28, 2002 Updated: September 04, 2002
Status
Not Affected
Vendor Statement
Cray Inc. is not vulnerable as it does not include the ypxfrd daemon as part of its NIS implementation.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Debian Not Affected
Notified: August 28, 2002 Updated: October 30, 2002
Status
Not Affected
Vendor Statement
Debian is not vulnerable.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
FreeBSD Not Affected
Notified: August 28, 2002 Updated: September 18, 2002
Status
Not Affected
Vendor Statement
This vulnerability does not exist in FreeBSD's implementation of the NIS map transfer server, rpc.ypxfrd(8).
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
MandrakeSoft Not Affected
Notified: August 28, 2002 Updated: October 11, 2002
Status
Not Affected
Vendor Statement
MandrakeSoft products are not vulnerable as we use an independent version from Thorsten Kukuk.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
NEC Corporation Not Affected
Notified: August 28, 2002 Updated: September 24, 2002
Status
Not Affected
Vendor Statement
sent on September 24, 2002
[Server Products]
* EWS/UP 48 Series operating system
- is NOT vulnerable, since it does not support ypxfrd(1M).
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
OpenBSD Not Affected
Notified: August 28, 2002 Updated: September 05, 2002
Status
Not Affected
Vendor Statement
We do not have this daemon. Various internal database formats made it very difficult for us to write code that would use this protocol; so we instead transfer maps using the older -- slower -- method.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Red Hat Inc. Not Affected
Notified: August 28, 2002 Updated: August 29, 2002
Status
Not Affected
Vendor Statement
Red Hat products are not vulnerable to this issue.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
SGI Not Affected
Notified: August 28, 2002 Updated: August 29, 2002
Status
Not Affected
Vendor Statement
IRIX is not vulnerable.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
SuSE Inc. Not Affected
Notified: August 28, 2002 Updated: August 29, 2002
Status
Not Affected
Vendor Statement
The implementation that we are using in all currently supported SuSE products is independent code from Thorsten Kukuk <kukuk@suse.de>. This code has a check for the occurrence of "/"-characters in the supplied filename, and bails out if this is the case. SuSE products are therefore not vulnerable to this problem.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
BSDI Unknown
Notified: August 28, 2002 Updated: August 29, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Conectiva Unknown
Notified: August 28, 2002 Updated: August 29, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Data General Unknown
Notified: August 28, 2002 Updated: August 29, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Fujitsu Unknown
Notified: August 28, 2002 Updated: August 29, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Guardian Digital Inc. Unknown
Notified: August 28, 2002 Updated: August 29, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Hewlett-Packard Company Unknown
Notified: August 28, 2002 Updated: August 29, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
MontaVista Software Unknown
Notified: August 28, 2002 Updated: August 29, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
NeXT Unknown
Notified: August 28, 2002 Updated: August 29, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
NetBSD Unknown
Notified: August 28, 2002 Updated: August 29, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Openwall GNU/*/Linux Unknown
Notified: August 28, 2002 Updated: August 29, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sequent Unknown
Notified: August 28, 2002 Updated: August 29, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sony Corporation Unknown
Notified: August 28, 2002 Updated: August 29, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Unisys Unknown
Notified: August 28, 2002 Updated: August 29, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Wind River Systems Inc. Unknown
Notified: August 28, 2002 Updated: August 29, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
Thanks to Janusz Niewiadomski for reporting this vulnerability. We also thank Sun Microsystems for their assistance.
This document was written by Ian A Finlay.
Other Information
| CVE IDs: | CVE-2002-1199 |
| Severity Metric: | 4.50 |
| Date Public: | 2002-10-09 |
| Date First Published: | 2002-10-10 |
| Date Last Updated: | 2003-04-09 19:31 UTC |
| Document Revision: | 7 |