|
_____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin NeXTstep NetInfo Configuration Vulnerability January 21, 1991 1400 PST Number C-13 _________________________________________________________________________ PROBLEM: By default, the NetInfo server process allows unrestricted access to system databases. PLATFORM: NeXT computers with release 2 of NeXTstep operating system. DAMAGE: Remote users can gain unauthorized access to the network's administrative information such as the passwd database. SOLUTION: Correctly configure NetInfo directory so that that the trusted_networks property is set only to the network IP addresses your server trusts. __________________________________________________________________________ Critical Facts about NeXT NetInfo vulnerability CIAC has learned of a configuration vulnerability in release 2 of the NeXTstep operating system for NeXT computers. Because a NetInfo server process will by default allow unrestricted access to system databases, remote users can gain unauthorized access to the network's administrative information. For example, if a NeXT computer (or LAN) grants external access to other TCP/IP networks, information about hosts and users in NetInfo can be used by remote attackers to compromise the security of the local network and hosts connecting to it. For example, an unauthorized user can also remotely obtain the NetInfo password database (NetInfo /users directory) if default settings are not changed as described below. NeXT Computers Inc. recommends that each domain that stores user passwords be protected against outside access. To accomplish this, ensure that the trusted_networks property of each NetInfo domain's root NetInfo directory is set correctly, so that only systems trusted to obtain information from NetInfo are granted access. The value for the trusted_networks property should be the network address (see step 7 below) of the networks the server should trust. You should consult Chapter 16, "Security", of the "NeXT Network and System Administration" manual for release 2 for detailed procedures concerning setting the trusted_networks property of the root NetInfo directory. The following will, however, provide a brief overview of these procedures for NeXT administrators already familiar with these procedures (which must be performed with root privilege): 1. With NetInfoManager, open the domain to be protected. Click the root directory. 2. Choose Open Directory from the Directory menu. 3. Click "master" in the Properties column 4. Choose Append Property. Notice the Property called "new_property" 5. Click that property. Change the text in the field at the bottom of the window from "new_property" to "trusted_networks". Press <return> to record the change. 6. Choose New Value from the Directory menu. Notice the value in the Values column called "new_value". 7. Click "new_value" in the values column. Change the text in the field at the bottom of the window from "new_value" to your network address. This is the section of the Internet address which belongs to the network. Enter the number assigned to you from the NIC or Corporate Network Manager. Do not include a trailing period in the network number. Press <return> to record the change. 8. Save the directory by choosing Save in the Directory menu. WARNING: If you incorrectly enter this number, it may result in legitimate machines being unable to boot or read administrative information. If you are in doubt to these instructions refer to to the manual described above. CAUTION: Improperly setting trusted_networks can render your network unusable. For additional information or assistance please contact CIAC. Send e-mail to ciac@llnl.gov or call CIAC at (510)422-8193**/(FTS)532-8193. David S. Brown (510)423-9878** or (FTS) 543-9878 dsbrown@llnl.gov (FAX) (510) 423-8002** or (FTS) 543-8002 **Note area code has changed from 415, although the 415 area code will work until Jan. 27, 1992. PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Some of the other teams include the NASA NSI response team, DARPA's CERT/CC, NAVCIRT, and the Air Force response team. Your agency's team will coordinate with CIAC. CIAC would like to thank Alan Marcum of NeXT Computer Inc. and the Computer Emergency Response Team/ Coordination Center (CERT/CC) for some of the material provided in this bulletin. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes.