Multiple Vendor NIS rpc.ypupdated YP Map Update Arbitrary Remote Command Execution

This script is Copyright (C) 2008-2011 Tenable Network Security, Inc.


Synopsis :

'ypupdated -i' is running on this port.

Description :

ypupdated is part of NIS and allows a client to update NIS maps.

This old command execution vulnerability was discovered and fixed in
1995. However, it is still possible to run ypupdated in insecure
mode by adding the '-i' option.
Anybody can easily run commands as root on this machine by specifying
an invalid map name that starts with a pipe (|) character. Exploits
have been publicly available since the first advisory.

Solution :

Remove the '-i' option.
If this option was not set, the rpc.ypupdated daemon is still vulnerable
to the old flaw
contact your vendor for a patch.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.7
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: RPC

Nessus Plugin ID: 31683 ()

Bugtraq ID: 1749
28383

CVE ID: CVE-1999-0208