Vigil@nce: AIX, access to NFSv4
October 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
An attacker can use two vulnerabilities of NFSv4, in order to
access to network shares.
Severity: 2/4
Consequences: data reading, data creation/edition, data deletion
Provenance: intranet client
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Number of vulnerabilities in this bulletin: 2
Creation date: 30/09/2009
IMPACTED PRODUCTS
– IBM AIX
DESCRIPTION OF THE VULNERABILITY
The NFSv4 (Network File System version 4) service can be enabled
on AIX. It is impacted by two vulnerabilities.
When the NFSv4 access is Kerberized, a vulnerability in the
Kerberos credential cache can be used by a local attacker to
access to a share with no authorization. [grav:2/4; BID-36545,
CVE-2009-3516]
The nfs_portmon configuration directive requires NFS clients,
which connect to the local server, to use a privileged source port
number (between 512 and 1023). However, this directive is not
honoured when the version 4 of NFS is used. A NFSv4 client can
therefore connect to the NFS server with a source port number
superior to 1024. [grav:2/4; BID-36544, CVE-2009-3517]
An attacker can therefore use two vulnerabilities of NFSv4, in
order to access to network shares.
CHARACTERISTICS
Identifiers: BID-36544, BID-36545, CVE-2009-3516, CVE-2009-3517,
VIGILANCE-VUL-9058