CERT® Advisory CA-1995-17 rpc.ypupdated VulnerabilityOriginal issue date: December 12, 1995
Last revised: October 30, 1997
Updated vendor information for Sun.
A complete revision history is at the end of this file.
The CERT Coordination Center has received reports of a vulnerability in the rpc.ypupdated program. An exploitation program has also been posted to several newsgroups.
This vulnerability allows remote users to execute arbitrary programs on machines that provide Network Information Service (NIS) master and slave services. Client machines of an NIS master or slave server are not affected.
See Section III for a test to help you determine if you are vulnerable, along with a workaround. In addition, Appendix A contains a list of vendors who have reported their status regarding this vulnerability.
We will update this advisory as we receive additional information. Please check advisory files regularly for updates that relate to your site.
The rpc.ypupdated program is a server used to change NIS information from a network-based client using various methods of authentication.
Clients connect to rpc.ypupdated and provide authentication information and proposed changes to an NIS database. If authenticated, the information provided is used to update the selected NIS database.
The protocol used when clients communicate with a server only checks to see if the connection is authentic using secure RPC. The protocol does not check to see if the client is authorized to modify the NIS data or if the given NIS map exists. Even after an unsuccessful attempt to update the NIS information, the rpc.ypupdated server invokes the make(1) program to propagate possible changes. The invocation of make is implemented in an insecure fashion which allows the requesting client to pass malicious arguments to the call resulting in the execution of arbitrary commands on NIS master and slave servers.
Remote users can execute commands on vulnerable NIS master and slave machines.
First determine if you are vulnerable (see Sec. A below). If you are vulnerable, either follow the instructions vendors have provided in Appendix A or apply the workaround in Sec. B below.
Appendix A: Vendor Information
Below is information we have received from vendors. If you do not see your vendor's name below, please contact the vendor directly for information.
Apple Computer, Inc.
A/UX does not include this functionality and is therefore not vulnerable.
Berkeley Software Design, Inc. (BSDI)
BSD/OS by Berkeley Software Design, Inc. (BSDI) is not vulnerable.
Data General Corporation
Data General believes the DG/UX operating system to be NOT vulnerable. This includes all supported release, DG/UX 5.4 Release 3.10, DG/UX Release 4.10 and all related Trusted DG/UX releases.
Digital Equipment Corporation
OSF/1 on all Digital platforms is not vulnerable.
Digital ULTRIX platforms are not vulnerable to this problem.
HP-UX versions 10.01, 10.10, and 10.20 are vulnerable (versions prior to HP-UX 10.01 are not vulnerable).
Solution: Do not run rpc.ypupdated. rpc.ypupdated is used
when adding or modifying the public:private key pair in the NIS
map public key.byname via the chkey command interface.
rpc.ypupdated should ONLY be run while changes are being made,
then terminated when the changes are complete.
APAR - IX55360
To determine if you have this PTF on your system, run the following command:
lslpp -lB U440666
APAR - IX55363
To determine if you have this fix on your system, run the following command:
lslpp -h | grep -p bos.net.nis.server
Your version of bos.net.nis.server should be 188.8.131.52 or later.
APARs may be ordered using FixDist or from the IBM Support Center. For more information on FixDist reference URL:
or send e-mail to email@example.com with a subject of "FixDist".
OS Version Status ------------------ ------------ -------------------------- EWS-UX/V(Rel4.0) R1.x - R2.x not vulnerable R3.x - R6.x vulnerable EWS-UX/V(Rel4.2) R7.x - R10.x vulnerable EWS-UX/V(Rel4.2MP) R10.x vulnerable UP-UX/V R2.x not vulnerable R3.x - R4.x vulnerable UP-UX/V(Rel4.2MP) R5.x - R7.x vulnerable UX/4800 R11.x vulnerable
The following is a workaround for 48 series.
ypupdated program is started by the /etc/rc2.d/S75rpc script. First, determine if the server is running, killing it if it is. Then, rename ypupdated so that the /etc/rc2.d/S75rpc script will not find and therefore start it when the system reboots.
# uname -a UNIX_System_V testux 4.2 1 R4000 r4000 # /sbin/ps -ef | /usr/bin/grep ypupdated root 359 1 0 08:20:05 ? 0:00 /usr/lib/netsvc/yp/ypupdated root 19938 836 0 23:13:20 pts/1 0:00 /usr/bin/grep ypupdated # /usr/bin/kill 359 # /sbin/mv /usr/lib/netsvc/yp/ypupdated /usr/lib/netsvc/yp/ypupdated.CA-95.17 # /usr/bin/chmod 0 /usr/lib/netsvc/yp/ypupdated.CA-95.17
Contacts for further information:
Open Software Foundation
YP/NIS is not part of the OSF/1 Version 1.3 offering.
Sequent Computer Systems
Sequent does not support the product referred to in this advisory, and as such is not vulnerable.
Silicon Graphics Inc. (SGI)
IRIX 3.x, 4.x, 5.0.x, 5.1.x, 5.2: vulnerable.
IRIX 5.3, 6.0, 6.0.1: rpc.ypupdated was off as distributed.
Sun Microsystems, Inc.
BUG 1230027/1232146 fixed in 4.1.3, will not fix 2.4
The ypupdated program is no longer shipped with NS-KIT. If we do decide in the future to support it again, we will fix the bug.
This document is available from: http://www.cert.org/advisories/CA-1995-17.html
CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more information.
Getting security information
CERT publications and other security information are available from our web site
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
Conditions for use, disclaimers, and sponsorship information
Copyright 1995, 1996 Carnegie Mellon University.
Oct. 30, 1997 Updated vendor information for Sun. Sep. 23, 1997 Updated copyright information Aug. 30, 1996 Information previously in the README was inserted into the advisory. Feb. 21, 1996 Appendix, IBM - added an entry for IBM Dec. 18, 1995 Appendix, Digital & Hewlett-Packard - modified information