Vigil@nce: Solaris, denial of service of NFSv4
January 2009 by Vigil@nce
A local attacker can rename a file located on a remote NFSv4 share
in order to stop the local system.
– Gravity: 1/4
– Consequences: denial of service of computer
– Provenance: user shell
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 06/01/2009
IMPACTED PRODUCTS
– OpenSolaris
– Sun Solaris
DESCRIPTION OF THE VULNERABILITY
The NFS version 4 protocol uses:
– a server to export a path
– a client to connect to this share and to use it as if it were a
local filesystem
The nfs4rename_persistent_fh() function of the
usr/src/uts/common/fs/nfs/nfs4_vfsops.c file is called when a
filename changes.
However, if the file is simultaneously renamed on the server and
on the NFSv4 client, a mutex is re-acquired via mutex_enter(),
which panics the system.
A local attacker can therefore rename a file located on a remote
NFSv4 share in order to stop the local system.
CHARACTERISTICS
– Identifiers: 248566, 6300710, VIGILANCE-VUL-8369
– Url: http://vigilance.fr/vulnerability/Solaris-denial-of-service-of-NFSv4-8369