Unrestricted NFS Export
CAN 1999-0554
Summary
This vulnerability allows unauthorized access to system and/or user
files.
Impact
Unrestricted access allows hackers to modify files on the system.
Background
Network File System (NFS) is a service which allows
file systems to be exported to other hosts. Authorized client hosts may
mount the file systems onto a point in their own directory structure.
The Problem
The lack of adequate NFS access restrictions allows
unauthorized access to system and/or user files. Unrestricted access
allows hackers to modify files on the system. An intruder could remotely compromise user or system
files and then take over the machine. For example, an intruder could remotely replace a system
program or configuration file. On UNIX systems, an intruder could remotely install an .rhosts
file to obtain interactive access (allowing the intruder to login to the system) or remotely install a .forward file to obtain non-interactive
access (the .forward file forwards a user's mail to a location specified in the file).
Resolution
To correct this vulnerability, make sure that all file exports specify an explicit
list of clients or netgroups. Also, export all file systems as read-only where possible.
It should be noted that some versions of the NFS mount daemon cannot expand large netgroups
and will export to the world anyway. This problem is specific to some
versions of the SunOS and is described in CERT Advisory 94.02 (link provided below).
Also, be sure to check vendor patch lists. Consider blocking ports 2049 (NFS) and 111 (portmap)
on routers. It should be noted that, in NIS netgroup members, empty host fields are treated
as wildcards and cause the mount daemon to grant access to any host.
Where can I read more about this?