NeXTstep Configuration VulnerabilityOriginal issue date: January 20, 1992
Last revised: September 19, 1997
Attached copyright statement
A complete revision history is at the end of this file.
The CERT Coordination Center has received information concerning a vulnerability in release 2 of NeXTstep's NetInfo default configuration. This vulnerability will be corrected in future versions of NeXTstep.
By default, a NetInfo server process will provide information to any machine that requests it.
Remote users can gain unauthorized access to the network's administrative information such as the passwd file.
Ensure that the trusted_networks property of each NetInfo domain's root NetInfo directory is set correctly, so that only those systems which should be obtaining information from NetInfo are granted access. The value for the trusted_networks property should be the network numbers of the networks the server should trust.
Note that improperly setting trusted_networks can render your network unusable.
Consult Chapter 16, "Security", of the NeXT Network and System Administration manual for release 2 for details on setting the trusted_networks property of the root NetInfo directory.
The CERT/CC wishes to thank NeXT Computer, Inc. for their cooperation in documenting and publicizing this security vulnerability.
This document is available from: http://www.preview.cert.org/advisories/CA-1992-01.html
CERT/CC Contact Information
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more information.
Getting security information
CERT publications and other security information are available from our web site
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.
Conditions for use, disclaimers, and sponsorship information
Copyright 1992 Carnegie Mellon University.
September 19,1997 Attached copyright statement