77 lines
2.8 KiB
Plaintext
77 lines
2.8 KiB
Plaintext
|
|
-----BEGIN PGP SIGNED MESSAGE-----
|
|
|
|
===========================================================================
|
|
CA-92:01 CERT Advisory
|
|
January 20, 1992
|
|
NeXTstep Configuration Vulnerability
|
|
|
|
- ---------------------------------------------------------------------------
|
|
|
|
The Computer Emergency Response Team/Coordination Center (CERT/CC)
|
|
has received information concerning a vulnerability in release 2 of
|
|
NeXTstep's NetInfo default configuration. This vulnerability will
|
|
be corrected in future versions of NeXTstep.
|
|
|
|
- ---------------------------------------------------------------------------
|
|
|
|
I. Description
|
|
|
|
By default, a NetInfo server process will provide information to
|
|
any machine that requests it.
|
|
|
|
|
|
II. Impact
|
|
|
|
Remote users can gain unauthorized access to the network's
|
|
administrative information such as the passwd file.
|
|
|
|
|
|
III. Solution
|
|
|
|
Ensure that the trusted_networks property of each NetInfo domain's
|
|
root NetInfo directory is set correctly, so that only those systems
|
|
which should be obtaining information from NetInfo are granted
|
|
access. The value for the trusted_networks property should be the
|
|
network numbers of the networks the server should trust.
|
|
|
|
Note that improperly setting trusted_networks can render your
|
|
network unusable.
|
|
|
|
Consult Chapter 16, "Security", of the "NeXT Network and System
|
|
Administration" manual for release 2 for details on setting the
|
|
trusted_networks property of the root NetInfo directory.
|
|
|
|
- ---------------------------------------------------------------------------
|
|
The CERT/CC wishes to thank NeXT Computer, Inc. for their cooperation in
|
|
documenting and publicizing this security vulnerability.
|
|
- ---------------------------------------------------------------------------
|
|
|
|
If you believe that your system has been compromised, contact CERT/CC via
|
|
telephone or e-mail.
|
|
|
|
Internet E-mail: cert@cert.org
|
|
Telephone: 412-268-7090 (24-hour hotline)
|
|
CERT/CC personnel answer 7:30a.m.-6:00p.m. EST(GMT-5)/EDT(GMT-4),
|
|
on call for emergencies during other hours.
|
|
|
|
Computer Emergency Response Team/Coordination Center (CERT/CC)
|
|
Software Engineering Institute
|
|
Carnegie Mellon University
|
|
Pittsburgh, PA 15213-3890
|
|
|
|
Past advisories and other information related to computer security are
|
|
available for anonymous ftp from the cert.org (192.88.209.5) system.
|
|
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: 2.6.2
|
|
|
|
iQCVAwUBMaMw3XVP+x0t4w7BAQHc/QP6AryLpl/9r1wuIxxp3u9PsCBlrXHOtyGM
|
|
WwExHvW6VKtWN1uhQD03xIqTXJMLhi4jne2cdPhqWbh7SFUhyyx96hpuj6GyBKXY
|
|
XgxY30SdugAQh/9xbrvfNmIAdsP2qChw65aDlirqgEwssT20+zaYrd8qS4WJ+iwi
|
|
WBIEWGrhIQI=
|
|
=XsLE
|
|
-----END PGP SIGNATURE-----
|
|
|