_____________________________________________________
              The Computer Incident Advisory Capability
                          ___  __ __    _     ___
                         /       |     / \   /
                         \___  __|__  /___\  \___
         _____________________________________________________
       Information Bulletin
 
       NeXTstep NetInfo Configuration Vulnerability
 
January 21, 1991 1400 PST           Number C-13
_________________________________________________________________________

PROBLEM: By default, the NetInfo server process allows unrestricted
   access to system databases.
PLATFORM: NeXT computers with release 2 of NeXTstep operating system.
DAMAGE: Remote users can gain unauthorized access to the network's
   administrative information such as the passwd database.
SOLUTION: Correctly configure NetInfo directory so that that the
   trusted_networks property is set only to the network IP addresses
   your server trusts.
__________________________________________________________________________
     Critical Facts about NeXT NetInfo vulnerability

CIAC has learned of a configuration vulnerability in release 2 of the
NeXTstep operating system for NeXT computers.  Because a NetInfo
server process will by default allow unrestricted access to system
databases, remote users can gain unauthorized access to the network's
administrative information.  For example, if a NeXT computer (or LAN)
grants external access to other TCP/IP networks, information about
hosts and users in NetInfo can be used by remote attackers to
compromise the security of the local network and hosts connecting to
it.  For example, an unauthorized user can also remotely obtain the
NetInfo password database (NetInfo /users directory) if default
settings are not changed as described below.

NeXT Computers Inc. recommends that each domain that stores user
passwords be protected against outside access.  To accomplish this,
ensure that the trusted_networks property of each NetInfo domain's
root NetInfo directory is set correctly, so that only systems trusted
to obtain information from NetInfo are granted access.  The value for
the trusted_networks property should be the network address (see step
7 below) of the networks the server should trust.

You should consult Chapter 16, "Security", of the "NeXT Network and
System Administration" manual for release 2 for detailed procedures
concerning setting the trusted_networks property of the root NetInfo
directory. The following will, however, provide a brief overview of
these procedures for NeXT administrators already familiar with these
procedures (which must be performed with root privilege):

   1. With NetInfoManager, open the domain to be protected.  Click the
      root directory.

   2. Choose Open Directory from the Directory menu.

   3. Click "master" in the Properties column

   4. Choose Append Property.  Notice the Property called
      "new_property"

   5. Click that property.  Change the text in the field at the bottom
      of the window from "new_property" to "trusted_networks".  Press
      <return> to record the change.

   6. Choose New Value from the Directory menu.  Notice the value in
      the Values column called "new_value".

   7. Click "new_value" in the values column.  Change the text in the
      field at the bottom of the window from "new_value" to your
      network address.  This is the section of the Internet address
      which belongs to the network.  Enter the number assigned to you
      from the NIC or Corporate Network Manager.  Do not include a
      trailing period in the network number.  Press <return> to record the
      change.

   8. Save the directory by choosing Save in the Directory menu.

      WARNING: If you incorrectly enter this number, it may result in
      legitimate machines being unable to boot or read administrative
      information.  If you are in doubt to these instructions refer to 
      to the manual described above.

      CAUTION:  Improperly setting trusted_networks can render your network
      unusable. 

For additional information or assistance please contact CIAC. Send
e-mail to ciac@llnl.gov or call CIAC at (510)422-8193**/(FTS)532-8193.

  David S. Brown
  (510)423-9878** or (FTS) 543-9878
  dsbrown@llnl.gov

(FAX) (510) 423-8002** or (FTS) 543-8002

**Note area code has changed from 415, although the 415 area code will
work until Jan. 27, 1992.

PLEASE NOTE:  Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents.  Some of the other teams include the NASA NSI response team,
DARPA's CERT/CC, NAVCIRT, and the Air Force response team.  Your
agency's team will coordinate with CIAC.

CIAC would like to thank Alan Marcum of NeXT Computer Inc. and the
Computer Emergency Response Team/ Coordination Center (CERT/CC) for
some of the material provided in this bulletin.

Neither the United States Government nor the University of California
nor any of their employees, makes any warranty, expressed or implied,
or assumes any legal liability or responsibility for the accuracy,
completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately
owned rights.  Reference herein to any specific commercial products,
process, or service by trade name, trademark manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government or the
University of California.  The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government nor the University of California, and shall not be used for
advertising or product endorsement purposes.