FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

ypserv -- Inoperative access controls in ypserv

Affected systems
5.3 <= FreeBSD < 5.3_30
5.4 <= FreeBSD < 5.4_15
5.5 <= FreeBSD < 5.5_1
6.0 <= FreeBSD < 6.0_8
6.1 <= FreeBSD < 6.1_1

Details

VuXML ID 0ac1aace-f7b9-11da-9156-000e0c2e438a
Discovery 2006-05-31
Entry 2006-06-09

Problem Description

There are two documented methods of restricting access to NIS maps through ypserv(8): through the use of the /var/yp/securenets file, and through the /etc/hosts.allow file. While both mechanisms are implemented in the server, a change in the build process caused the "securenets" access restrictions to be inadvertantly disabled.

Impact

ypserv(8) will not load or process any of the networks or hosts specified in the /var/yp/securenets file, rendering those access controls ineffective.

Workaround

One possible workaround is to use /etc/hosts.allow for access control, as shown by examples in that file.

Another workaround is to use a firewall (e.g., ipfw(4), ipf(4), or pf(4)) to limit access to RPC functions from untrusted systems or networks, but due to the complexities of RPC, it might be difficult to create a set of firewall rules which accomplish this without blocking all access to the machine in question.

References

CVE Name CVE-2006-2655
FreeBSD Advisory SA-06:15.ypserv