CERT® Advisory CA-1998-06 Buffer Overflow in NIS+Original issue date: June 9, 1998
Last revised: Nov 9, 1999
Updated vendor information for Data General.
A complete revision history is at the end of this file.
The CERT Coordination Center has received a report from Internet Security Systems regarding a vulnerability in some implementations of NIS+. The NIS+ service is offered by the rpc.nisd program on many systems.
We recommend installing a vendor patch as soon as possible. Until you are able to do that, we encourage you to implement applicable workarounds as described in section III.
We will update this advisory as we receive additional information. Please check our advisory files regularly for updates that relate to your site.
NIS+ and NIS are designed to assist in the administration of networks by providing centralized management and distribution of information about users, machines, and other resources on the network. NIS+ is a replacement for NIS. A buffer overflow exists in some versions of NIS+. At this time, we do not believe any versions of NIS are vulnerable to this buffer overflow. Note that this vulnerability exists independently of the security level at which the NIS+ server is running.
Depending on the configuration of the target machine, a remote intruder can gain root access to a vulnerable system or cause the NIS+ server to crash, which will affect the usability of any system which depends on NIS+.
Additionally, if your NIS+ server is running in NIS compatibility mode and if an intruder is able to crash the NIS+ server, the intruder may be able to masquerade as an NIS server and gain access to machines that depend on NIS for authentication.
Finally, if an intruder is able to crash an NIS+ server and there are clients on the local network that are initialized by broadcast, an intruder may be able to provide false initialization information to the NIS+ clients. Clients that are initialized by hostname may also be vulnerable under some circumstances.
Appendix A - Vendor Information
Below is a list of the vendors who have provided information for this advisory. We will update this appendix as we receive additional information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact the vendor directly.
Data General is not vulnerable to this problem.
Digital Equipment Corporation
This problem is not present for Digital's ULTRIX or Digital UNIX Operating Systems Software.
FreeBSD is not vulnerable.
UXP/V V10L20, the current version of the UNIX-based operating system running on the Fujitsu VPP Series supercomputers, is vulnerable. Fujitsu is currently working on a patch for UXP/V V10L20. UXP/V V10L10, the version that preceded V10L20, is not vulnerable.
HP-UX is Vulnerable. Patches in process.
AIX is not vulnerable.
Some NEC systems are vulnerable. Patches are in progress and will be available from ftp://ftp.meshnet.or.jp/pub/48pub/security.
The NetBSD Project
NetBSD is not vulnerable.
OpenBSD is not vulnerable.
The Santa Cruz Operation, Inc.
No SCO products are vulnerable.
Sun Microsystems, Inc.
Patches were released for Solaris 5.4, 5.5, 5.5.1, and 5.6. The patch numbers are as follows. 5.4 sparc 101973-35 5.4 intel 101974-35 5.5 sparc 103187-38 5.5 intel 103188-38 5.5.1 sparc 103612-41 5.5.1 intel 103613-41 5.6 sparc 105401-12 5.6 intel 105402-12 Sun estimates that a patch for SunOS 5.3 will be available in about 12 weeks. The expected patch number is 101318-91.
We wish to thank Josh Daymont of ISS who reported the vulnerability and provided technical assistance.
This document is available from: http://www.cert.org/advisories/CA-1998-06.html
CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more information.
Getting security information
CERT publications and other security information are available from our web site
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
Conditions for use, disclaimers, and sponsorship information
Copyright 1998 Carnegie Mellon University.
July 22, 1999 Added vendor information for Fujitsu.