CVE-2010-0015 in C Library
Summary
by MITRE
nis/nss_nis/nis-pwd.c in the GNU C Library (aka glibc or libc6) 2.7 and Embedded GLIBC (EGLIBC) 2.10.2 adds information from the passwd.adjunct.byname map to entries in the passwd map, which allows remote attackers to obtain the encrypted passwords of NIS accounts by calling the getpwnam function.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 08/31/2021
The vulnerability identified as CVE-2010-0015 resides within the GNU C Library implementation of NIS (Network Information Service) name service switch functionality. This flaw affects glibc version 2.7 and EGLIBC version 2.10.2, where the nis/nss_nis/nis-pwd.c component improperly handles the integration of data from the passwd.adjunct.byname map into the primary passwd map. The security issue stems from an insufficient validation mechanism that allows information from auxiliary NIS maps to be merged with primary user account data without proper access controls or sanitization. This behavior creates an unintended information disclosure channel that can be exploited by remote attackers to obtain encrypted password hashes from NIS-managed user accounts.
The technical exploitation of this vulnerability occurs through the getpwnam function call, which is part of the standard name service switch API used by applications to resolve user account information. When a remote attacker invokes getpwnam with a specific username that exists in both the primary passwd map and the passwd.adjunct.byname map, the system inadvertently merges information from both sources. The passwd.adjunct.byname map typically contains additional user attributes including encrypted password hashes that should remain separate from the primary user database. This merging process exposes the encrypted password information that would normally be restricted to authorized internal processes, effectively bypassing the intended security boundaries of the NIS service configuration.
The operational impact of this vulnerability extends beyond simple information disclosure, as it fundamentally undermines the security model of NIS-based authentication systems. Remote attackers can leverage this weakness to harvest encrypted password hashes from NIS-managed user accounts, which can then be subjected to offline password cracking attacks or used as part of credential stuffing operations against other systems. The vulnerability affects systems that rely on NIS for user authentication and authorization, particularly in enterprise environments where NIS is used as a centralized user management solution. This issue represents a critical weakness in the name service switch architecture that can be exploited without requiring elevated privileges or direct system access, making it particularly dangerous in networked environments.
Mitigation strategies for this vulnerability involve immediate patching of affected glibc and EGLIBC installations to versions that address the improper data merging behavior in the NIS name service switch implementation. System administrators should also consider implementing network-level restrictions to limit access to NIS services and ensure that the passwd.adjunct.byname map is properly secured and restricted from unauthorized access. Additionally, organizations should conduct thorough audits of their NIS configurations to identify and disable unnecessary NIS map access, particularly for auxiliary maps that contain sensitive information. The vulnerability aligns with CWE-200 (Information Exposure) and represents a specific implementation flaw in the name service switch mechanism that could be categorized under ATT&CK technique T1565.001 (Data Manipulation) when exploited for credential harvesting purposes. Organizations should also consider migrating away from NIS-based authentication systems to more modern and secure alternatives such as LDAP or Kerberos to eliminate exposure to similar legacy vulnerabilities.