Patch-ID# 103833-02 Keywords: security ypserv ypxfrd res_send resolv.conf CERT domain Synopsis: SunOS 4.1.4: ypserv and ypxfrd security fixes Date: Aug/04/97 Solaris Release: 1.1.2 SunOS Release: 4.1.4 Unbundled Product: Unbundled Release: BugId's fixed with this patch: 4056730 1238679 1036869 Changes incorporated in this version: 4056730 Relevant Architectures: sun4(all) Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: ypxfrd ypserv securenets Problem Description: Bug 4056730 - ypserv allows invalid domain names Bug 1238679 - DNS spoofing is possible per CERT CA-96.02 Bug 1036869 Security - ypserv will send maps to anyone who can guess the domainname Comments: In order to prevent these NIS security problems, all of the above fixes need to work together. Both the "ypserv" and "ypxfrd" processes use a /var/yp/securenets file and, if it is present, they will only respond to IP addresses in the range given. This file is only read when the daemons (both ypserv & ypxfrd) start. To make a change in /var/yp/securenets take effect, one must kill and restart the daemons. The format of the file is one of more lines of: netmask netaddr e.g. 255.255.0.0 128.30.0.0 255.255.255.0 128.311.10.0 In the 2nd example, the netmask is 255.255.255.0 and the network address is 128.311.10.0 . This setup will only allow the ypserv to respond to those IP addresses which are within the subnet 128.311.10 range. Installation: 1) As root, save the original binaries: mv /usr/etc/ypserv /usr/etc/ypserv.orig mv /usr/etc/ypxfrd /usr/etc/ypxfrd.orig chmod 0400 /usr/etc/ypserv.orig chmod 0400 /usr/etc/ypxfrd.orig 2) Copy the new files from the patch directory: cp ypserv /usr/etc cp ypxfrd /usr/etc chown root.staff /usr/etc/ypserv chmod 755 /usr/etc/ypserv chown root.staff /usr/etc/ypxfrd chmod 755 /usr/etc/ypxfrd 3) Copy the securenets file to /var/yp cp securenets /var/yp chown root.staff /var/yp/securenets chmod 644 /var/yp/securenets 4) Edit the securenets file and make the appropriate changes. 5) Reboot the system to invoke the new binaries.