Multiple Vendor NIS rpc.ypupdated YP Map Update Arbitrary Remote Command Execution
high Nessus Plugin ID 31683
Language:
Synopsis
'ypupdated -i' is running on this port.Description
ypupdated is part of NIS and allows a client to update NIS maps.This old command execution vulnerability was discovered and fixed in 1995. However, it is still possible to run ypupdated in insecure mode by adding the '-i' option.
Anybody can easily run commands as root on this machine by specifying an invalid map name that starts with a pipe (|) character. Exploits have been publicly available since the first advisory.
Solution
Remove the '-i' option.If this option was not set, the rpc.ypupdated daemon is still vulnerable to the old flaw; contact your vendor for a patch.
Plugin Details
Severity: High
ID: 31683
File Name: ypupdated_remote_exec.nasl
Version: 1.17
Type: remote
Family: RPC
Published: 3/28/2008
Updated: 6/12/2020
Risk Information
VPR
Risk Factor: High
Score: 7.0
CVSS v2
Risk Factor: High
Base Score: 9.3
Temporal Score: 7.3
Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
Vulnerability Information
Exploit Available: true
Exploit Ease: Exploits are available
Vulnerability Publication Date: 12/12/1994
Exploitable With
Metasploit (Solaris ypupdated Command Execution)
Reference Information
CVE: CVE-1999-0208