=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2009/VULN234
_____________________________________________________________________

DATE                      : 11/06/2009

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Solaris, OpenSolaris running rpc.nisd.

=======================================================================
http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-66-256748-1
______________________________________________________________________

   Solution Type: Sun Alert
   Solution  256748 :   A Security Vulnerability in the Solaris
   rpc.nisd(1M) Daemon may Cause a Denial of Service (DoS) Condition to a
   NIS+ Server
   Bug ID: 6466160

   Product
   Solaris 8 Operating System
   Solaris 9 Operating System
   Solaris 10 Operating System
   OpenSolaris

   Date of Resolved Release: 09-Jun-2009

   SA Document Body
   A security vulnerability in the Solaris rpc.nisd(1M) daemon may cause a
   Denial of Service (DoS) condition to a NIS+ server:

   1. Impact
   A security vulnerability in the Solaris rpc.nisd(1M) daemon may allow
   remote privileged users on certain NIS+ clients to cause a Denial of
   Service (DoS) condition to a NIS+ server, preventing the server from
   responding to all NIS+ client requests.

   2. Contributing Factors
   This issue can occur in the following releases:
   SPARC Platform
     * Solaris 8 without patch 128624-09
     * Solaris 9 without patch 112960-65
     * Solaris 10 without patch 140917-01
     * OpenSolaris based upon builds snv_01 through snv_103

   x86 Platform
     * Solaris 8 without patch 128625-09
     * Solaris 9 without patch 114242-50
     * Solaris 10 without patch 140918-01
     * OpenSolaris based upon builds snv_01 through snv_103

   Note 1: OpenSolaris distributions may include additional bug fixes
   above and beyond the build from which it was derived.  To determine
   the base build of OpenSolaris, the following command can be used:
    $ uname -v
    snv_86

   Note 2: This issue only affects systems that are configured as NIS+
   Master or Replica servers and have the rpc.nisd(1M) process running on
   the system.
   To determine if a system is a NIS+ Master or Replica server and if the
   rpc.nisd(1M) service is running, the following command may be run:
   On Solaris 10 and OpenSolaris systems:
    $ svcs svc:/network/rpc/nisplus:default
    STATE          STIME    FMRI
    online         Feb_17   svc:/network/rpc/nisplus:default

   If the "state" field in the output is "disabled" the system is not
   configured as a NIS+ Master or Replica server.
   On Solaris 8 and 9 systems:
    $ pgrep rpc.nisd || echo "This system is not a NIS+ server."

   3. Symptoms
   If the described issue occurs, NIS+ commands to lookup NIS+ data may
   hang. For example, running the following command from the NIS+ server
   machine may hang:
    $ niscat hosts.org_dir

   The stack trace of NIS+ server process rpc.nisd(1M) may be similar to
   the following:
    -----------------  lwp# 1 / thread# 1  --------------------
    ff11ce9c getmsg   (101, ffbec9e4, ffbec960, ffbec96c)
    ff1ca594 getmsg   (101, 557070, ffbec9f0, ffbec9e4, 1, ffbec9e4) + 34
    ff2a0418 _tx_connect (557000, 557070, 5e5ab8, 1, ff31ef60, ffbeca70) + 1fc
    ff2a4c9c set_up_connection (101, 0, 0, 5e5ab8, 531520, 101) + 140
    ff2a48d4 clnt_vc_create (101, 531520, 654150, 4000, 4000, ff322bf8) + 1bc
    ff294dc0 clnt_tli_create (4000, 1, 7021c0, 187ce, 1, 4000) + 214
    ff2e87ec __nis_clnt_create (6ef230, 1, 1, 7021c0, 0, 187ce) + 11c
    ff2e8b48 nis_make_rpchandle_gss_svc (4000, 0, 4a3090, 4e2e68, 0, 5600e0) + 2d0
    ff2e86c0 nis_make_rpchandle_uaddr (6f34b8, 1, 187ce, 1, 1, 4000) + 2c
    ff2ab92c nis_make_rpchandle (6f34b8, 1, 187ce, 1, 1, 4000) + 24
    0001a7d4 ???????? (ffbed0e0, 6b70f0, c74c0, ffbed0e0, 57f108, 0)
    0001b2f0 nis_iblist_svc (0, 5600e0, 57f108, 0, c74c0, 57f108) + 174
    0002ff84 nis_prog_svc (52400, 4a000, 1b17c, 498c8, f, ffbeddbc) + 4e4
    ff2d2dec _svc_prog_dispatch (2faa0, 3, 0, ff31ef60, 142378, 159778) + 180
    ff2d2bb8 svc_getreq_common (ff322e54, 1, ff32c9e0, ff32c908, 400, 142378) + d8
    ff2d2ac0 svc_getreq_poll (1, 1bc598, ff31ef60, 1, 0, 1bbd98) + 9c
    000180a4 main     (4a000, 52000, 12c, 4a034, 7fffffff, 10d) + 1404
    0001597c _start   (0, 0, 0, 0, 0, 0) + b8

   4. Workaround
   There is no workaround for this issue. Please see the Resolution
   section below.

   5. Resolution
   This issue is addressed in the following releases:
   SPARC Platform
     * Solaris 8 with patch 128624-09 or later
     * Solaris 9 with patch 112960-65 or later
     * Solaris 10 with patch 140917-01 or later
     * OpenSolaris based upon builds snv_104 or later

   x86 Platform
     * Solaris 8 with patch 128625-09 or later
     * Solaris 9 with patch 114242-50 or later
     * Solaris 10 with patch 140918-01 or later
     * OpenSolaris based upon builds snv_104 or later

   For more information on Security Sun Alerts, see Technical
   Instruction ID 213557.

   This Sun Alert notification is being provided to you on an "AS IS"
   basis. This Sun Alert notification may contain information provided by
   third parties. The issues described in this Sun Alert notification may
   or may not impact your system(s). Sun makes no representations,
   warranties, or guarantees as to the information contained herein. ANY
   AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
   WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
   NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
   YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
   INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
   OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
   This Sun Alert notification contains Sun proprietary and confidential
   information. It is being provided to you pursuant to the provisions of
   your agreement to purchase services from Sun, or, if you do not have
   such an agreement, the Sun.com Terms of Use. This Sun Alert
   notification may only be used for the purposes contemplated by these
   agreements.
   Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa
   Clara, CA 95054 U.S.A. All rights reserved


======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================