Patch-ID# 100482-08
Keywords: security ypserv ypxfrd res_send resolv.conf CERT 
Synopsis: SunOS 4.1.3: ypserv, ypxfrd & portmap security patch
Date: Nov/12/96

Solaris Release: 1.1
 
SunOS Release: 4.1.3, 4.1.3C
 
Unbundled Product: 
 
Unbundled Release:
 
Topic: ypserv, ypxfrd & portmap security patch

BugId's fixed with this patch: 1036869 1039839 1082319 1082320 1080353 1076977 1209708 1238679

Bug fixes incorporated in this version: 1238679

Architectures for which this patch is available: sun4(all)

Obsoleted by:

Files included with this patch: README
				portmap
				securenets
				ypserv
				ypxfrd

Problem Description: 

        Bug 1238679
        DNS spoofing is possible per CERT CA-96.02

	Bug 1209708 
	YP caches host info for too long and does not honor the 
	refresh times from DNS

        Bug 1036869
	Security -  ypserv will send maps to anyone who can guess the 
		    domainname

	Bug 1039839
	DNS used in conjunction with NIS may generate syslog messages
	to the console something like :
	nres_gethostbyaddr: some.name.org != its.correct.IP.addr

	Bug 1082319
	Security -  ypserv will send maps to anyone via the portmapper.

	Bug 1082320
	Security -  ypxfrd will send maps to anyone.
	Ypxfrd does not check whether the person transferring the map 
	is root on  his machine, when the map is ``secure''. As a 
	consequence, any user can get the password map if the
	NIS master is running ypxfrd.

	Bug 1080353
    	The problem is whenever the primary name server downloads an 
      	'A' record to the secondary system and this 'A' record contains 
	more then 36 IP addresses. It will cause ypserv on the 
	secondary system to dump core.

	Bug 1076977
	DNS lookup will fail if the first nameserver in /etc/resolv.conf 
	is up but has no nameserver daemon running. The ECONNREFUSED will 
	be carried on down to the other nameservers listed in resolv.conf 
	even if they are up and their nameserver daemons are running.


Comments:

This patch contains the following fixes:

	1. ypserv - for bugs 1036869, 1039839, 1080353, 1209708, 1238679
	2. ypxfrd - for bug 1082320
	3. portmap - for bug 1082319

In order to prevent these NIS security problems, all of the
above fixes need to work together. 

Both the "ypserv" and "ypxfrd" patch use a /var/yp/securenets 
file and, if present, only responds to IP addresses in the 
range given. This file is only read when the daemons (both
ypserv & ypxfrd) start. To get a change in /var/yp/securenets
to take effect, one must kill and restart the daemons.


The format of the file is one of more lines of:

	netmask netaddr

	e.g. 

	255.255.0.0 128.30.0.0
	255.255.255.0 128.311.10.0

	In the 2nd example, the netmask is 255.255.255.0 
	and the network address is 128.311.10.0 . This 
	setup will only allow the ypserv to respond to 
	those IP addresses which are within the subnet 
	128.311.10 range. 

Install:

As root and for the correct architecture directory.

#save original binaries

  mv /usr/etc/ypserv /usr/etc/ypserv.orig
  mv /usr/etc/ypxfrd /usr/etc/ypxfrd.orig
  mv /usr/etc/portmap /usr/etc/portmap.orig
  chmod 0400 /usr/etc/ypserv.orig
  chmod 0400 /usr/etc/ypxfrd.orig
  chmod 0400 /usr/etc/portmap.orig

#copy the new version to /usr/etc

  cp `arch -k`/ypserv /usr/etc/ypserv
  cp `arch -k`/ypxfrd /usr/etc/ypxfrd
  cp `arch -k`/portmap /usr/etc/portmap
 
  chown root.staff /usr/etc/ypserv
  chmod 755  /usr/etc/ypserv
 
  chown root.staff /usr/etc/ypxfrd
  chmod 755  /usr/etc/ypxfrd
 
  chown root.staff /usr/etc/portmap
  chmod 755  /usr/etc/portmap


#copy the securenets file to /var/yp

  cp `arch -k`/securenets /var/yp
 
  chown root.staff /var/yp/securenets
  chmod 644 /var/yp/securenets

#edit the securenets file and make the appropriate changes.

#reboot the system to invoke the new binaries.
