Unprivileged NFS Access
Summary
This vulnerability allows an NFS server to execute requests from
unprivileged user programs.
Impact
A malicious user can execute NFS file access requests on behalf of any user. In other
words, a malicious user is able to impersonate a trusted user on the system and access files
and execute programs on a mounted file system.
Background
When an NFS client host wants to access a remote file or directory, its
operating system sends a request to the NFS server. The request
specifies, among others, a file identifier, the operation (read, write,
change permission, etc.), and the identity of the user on whose behalf
the operation is to be done.
By default, the user identity is specified with the UNIX numeric user
and group ids. With this scheme, also called AUTH_UNIX, the server
simply believes anything that the client sends it.
The Problem
An NFS request is nothing but a network message. Any user can run a
program that generates arbitrary NFS requests. Such programs have been
available for several years, and writing them does not require unusual
programming skills.
When an NFS server accepts requests with AUTH_UNIX authentication from
unprivileged user programs, a malicious user can execute file access
requests on behalf of any user. This is a problem because with AUTH_UNIX authentication,
the user identity is nothing but a few user and group ID numbers in a
network message.
Resolution
To fix this vulnerability, avoid AUTH_UNIX authentication and use something that
involves cryptography. For example, secure NFS with
DES or Kerberos
credentials. Unfortunately, many NFS implementations support AUTH_UNIX
authentication only. Consult system documentation for details.
A partial, but more common solution is to configure the NFS server,
and where possible, the mount daemon, to accept requests only from
privileged system programs (such as UNIX kernels), and to reject NFS
requests that are sent by unprivileged user programs.
Note: Rejecting NFS requests from unprivileged user programs
does not protect your servers against malicious superusers or against
malicious PC programs.
Other tips
Other ways to help eliminate this vulnerability are exporting file systems
as read-only where possible and blocking ports 2049 (NFS) and 111
(portmap) on routers.
Where can I read more about this?
General methods to avoid and fix NFS vulnerabilities may be
found in CERT Advisory 94.15.