Bugzilla – Bug 42541
VUL-0: CVE-2003-0251: ypserv: denial-of-service attack in ypserv
Last modified: 2021-09-28 08:21:10 UTC
Hi, this might be interessting for you. http://www.securityfocus.com/archive/1/326735 The CAN is reserved but not details are published so far: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0251 If our systems are affected as well we need a security update for all maintained products + SL 7.2-8.2. I will attacj the p&p files in a few minutes.
<!-- SBZ_reproduce --> -
You can start a denial-of-service attack on ypserv, as you can do with every RPC based service. That we fork for one function (from 12) does not prevent a user from creating such an attack with the help of another function. There are a lot of possibilities for such an attack, no of them is fixable. If RH uses the default limit, you need now 40 connections to stop the daemon. If you don't limit the number of connections, you can overflow the process table and eat all memory on the server. This would be even possible with a slow dialup connection and a very old i386 PC, you don't need more resources than before (I have a nice multithreaded program for doing so). We plan to make a ypserv update estimated next week, but for other reasons (Fixing some errors in the protocol, where as result ypcat on Solaris could hang forever and possible corruption of the master name of a map on the slave side, nothing is fixed in RHs update).
Ok, I see. Time for closing this I think...
Close it, a 2.9 update is on the way.
CVE-2003-0251: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)