NeXTstep Configuration Vulnerability

Original issue date: January 20, 1992
Last revised: September 19, 1997
Attached copyright statement

A complete revision history is at the end of this file.

The CERT Coordination Center has received information concerning a vulnerability in release 2 of NeXTstep's NetInfo default configuration.  This vulnerability will be corrected in future versions of NeXTstep.

I. Description

By default, a NetInfo server process will provide information to any machine that requests it.

II. Impact

Remote users can gain unauthorized access to the network's administrative information such as the passwd file.

III. Solution

Ensure that the trusted_networks property of each NetInfo domain's root NetInfo directory is set correctly, so that only those systems which should be obtaining information from NetInfo are granted access. The value for the trusted_networks property should be the network numbers of the networks the server should trust.

Note that improperly setting trusted_networks can render your network unusable.

Consult Chapter 16, "Security", of the NeXT Network and System Administration manual for release 2 for details on setting the trusted_networks property of the root NetInfo directory.

The CERT/CC wishes to thank NeXT Computer, Inc. for their cooperation in documenting and publicizing this security vulnerability.

This document is available from:

CERT/CC Contact Information

Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email.  Our public PGP key is available from

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.

Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.

Conditions for use, disclaimers, and sponsorship information

Copyright 1992 Carnegie Mellon University.

Revision History
September 19,1997  Attached copyright statement