[Posted to newsgroup comp.unix.solaris, and mailed to bugtraq@securityfocus.com] Patch 113579-03, which has been in the recommended patch set for Solaris 9 since mid-February, introduces a security bug. If you are not running a NIS server using Solaris 9 you are not affected. If you do, but don't have any secure maps (as made by "makedbm -s"), you are still not affected. The commonest use of secure maps is probably as part of the "c2secure" setup, in which the encrypted passwords are kept in a separate secure map "passwd.adjunct.byname". The bug simply causes secure NIS maps not to be treated as secure any longer. This means that any user on a NIS client (rather than just the super-user) can use ypcat(1) and ypmatch(1) to extract the contents of a secure map such as "passwd.adjunct.byname". We discovered this bug accidentally, and reported it to Sun on Monday 29 March. They quickly confirmed the bug: we have no complaints on that score. However, in the three weeks since then they have failed to withdraw the faulty patch or issue any security alert to Solaris users on the subject. We think this is unreasonable: therefore we are making this information publicly available. If you are affected by the security problem, then we advise you to remove patch 113579-03 with patchrm(1m) and then restart the NIS daemons, which will re-secure the relevant NIS maps. You might need to bear in mind that 113579-03 replaced /var/yp/Makefile and that therefore patchrm'ing it will cause it to revert to the version before the patchadd, and also that patch 113579-03 obsoleted 113483-02 as well as 113579-01. We've been told that Solaris 9 4/04 comes with patch 113579-04 pre-applied: this version of the patch is not yet available separately. We believe that it probably has the same security bug as 113579-03, but have not yet been able to test this ourselves. We are, of course, aware that using secure NIS maps is only a small part of securing NIS configurations (insofar as that can be done at all). -- Chris Thompson University of Cambridge Computing Service, Email: cet1@ucs.cam.ac.uk New Museums Site, Cambridge, UK.