Source: cve@mitre.org
Some configurations of NIS+ in Linux allowed attackers to log in as the user "+".
Critical vulnerability in certain Linux NIS+ configurations allowed unauthorized users to gain root-level access by logging in as the wildcard user '+'. This flaw bypassed authentication mechanisms, posing a significant risk of system compromise and data breaches across affected networks.
Step 1: Configuration Check: The attacker identifies a Linux system running NIS+ and verifies its configuration. This includes examining the passwd and group files, or NIS+ equivalents, to see if the wildcard user '+' is present and its associated privileges.
Step 2: Authentication Attempt: The attacker attempts to log in to the system using the username '+'.
Step 3: Authentication Bypass: Due to the vulnerability, the NIS+ daemon fails to properly authenticate the user, bypassing the normal authentication checks.
Step 4: Privilege Escalation: The attacker is granted access to the system with the privileges associated with the wildcard user, typically root or a highly privileged account.
Step 5: System Compromise: The attacker can now execute commands, access sensitive data, and potentially install malware, leading to complete system compromise.
The vulnerability stems from a flaw in how NIS+ handled the wildcard user entry ('+') in its authentication process. Specifically, the NIS+ daemon, when configured with certain settings, failed to properly validate the user's identity when the wildcard entry was present. This allowed an attacker to bypass authentication and gain access with the privileges associated with the wildcard user, which, in many configurations, defaulted to root or a highly privileged account. The root cause is a logic error in the authentication logic, failing to properly filter or deny the wildcard user's access.
Due to the age of the vulnerability, it's unlikely to be directly targeted by modern APTs. However, it could be exploited by less sophisticated attackers or used as part of a broader attack chain. The vulnerability's impact is high, and it could be leveraged by any attacker with knowledge of the system configuration. Not listed on CISA KEV due to its age.
Monitor system logs (e.g., /var/log/auth.log, /var/log/syslog) for failed login attempts using the username '+'.
Review NIS+ configuration files (e.g., /etc/passwd, /etc/group, NIS+ specific files) for the presence and privileges of the wildcard user '+'.
Implement intrusion detection systems (IDS) with rules to detect suspicious login attempts or activity associated with the '+' user.
Network traffic analysis to identify unusual traffic patterns associated with NIS+ authentication.
Disable NIS+ if not required. Modern systems should use alternatives like LDAP or Active Directory.
If NIS+ is required, ensure the wildcard user '+' is not present in the passwd and group files, or that its privileges are severely restricted.
Review and harden NIS+ configuration files to ensure proper authentication and authorization.
Implement strong password policies and multi-factor authentication (MFA) for all user accounts.
Regularly update and patch the operating system and all installed software.
Implement a host-based intrusion detection system (HIDS) to monitor for malicious activity.
Consider using a network intrusion detection system (NIDS) to monitor for suspicious network traffic.