Source: cve@mitre.org
rpc.ypupdated (NIS) allows remote users to execute arbitrary commands.
rpc.ypupdated, a component of the Network Information Service (NIS), suffers from a critical vulnerability allowing remote command execution. Successful exploitation grants attackers complete control over the compromised system, enabling data theft, system compromise, and lateral movement within the network. This vulnerability is particularly dangerous due to its age and the potential for legacy systems to remain unpatched.
Step 1: Target Identification: The attacker identifies systems running NIS and the rpc.ypupdated service, typically by port scanning (port 111 for RPC, and potentially other ports used by NIS). Step 2: Crafting the Malicious Request: The attacker crafts a malicious NIS update request. This request is designed to inject shell commands into the data being updated. The specific commands will depend on the attacker's goals (e.g., creating a backdoor, downloading malware, or gaining further access). Step 3: Payload Delivery: The attacker sends the crafted NIS update request to the vulnerable rpc.ypupdated service. This is typically done over the network using RPC calls. Step 4: Command Execution: The rpc.ypupdated service, upon receiving the malicious request, processes it. Due to the lack of input validation, the injected shell commands are executed with the privileges of the rpc.ypupdated service (usually root). Step 5: System Compromise: The attacker's commands are executed, allowing them to gain control of the system. This can include creating user accounts, installing backdoors, stealing data, or launching further attacks.
The vulnerability lies within the rpc.ypupdated daemon, specifically in its handling of updates to the NIS database. The daemon, when processing update requests, fails to adequately validate input parameters, leading to a command injection vulnerability. Attackers can craft malicious NIS update requests containing arbitrary commands. When rpc.ypupdated processes these requests, it executes the attacker-supplied commands with elevated privileges, typically root, due to the nature of the service. The root cause is a lack of proper input sanitization and validation, allowing for the injection of shell commands through crafted NIS update requests. This is a classic example of a remote code execution (RCE) vulnerability.
This vulnerability has been exploited by various threat actors over the years. While specific APT attribution is difficult due to the age of the vulnerability and the availability of public exploits, it's reasonable to assume that any actor with basic skills would leverage it. This vulnerability is a common target for opportunistic attacks. Not listed on CISA KEV, but its impact warrants immediate attention.
Monitor network traffic for unusual RPC calls to port 111 (or other NIS-related ports) originating from untrusted sources.
Analyze system logs for suspicious activity related to rpc.ypupdated, such as unexpected process creation or modifications to system files.
Implement intrusion detection systems (IDS) with signatures that detect malicious NIS update requests.
Review system logs for evidence of successful exploitation, such as the execution of unexpected commands or the creation of new user accounts.
Monitor for changes to NIS configuration files that could indicate compromise.
Disable the rpc.ypupdated service if it is not required. This is the most effective mitigation.
If rpc.ypupdated is required, apply the latest security patches for the operating system. Ensure the system is fully updated.
Implement network segmentation to restrict access to NIS services to only trusted hosts.
Use a host-based intrusion detection system (HIDS) to monitor for malicious activity on the system.
Implement strong authentication and authorization mechanisms for NIS services.
Regularly audit NIS configuration files for unauthorized changes.
Consider migrating to a more secure directory service, such as LDAP, if possible.