Vigil@nce: Solaris, access to NFS files
March 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
When a NFS server uses AUTH_NONE and AUTH_SYS, an authenticated
client can access to server files with the same uid.
Gravity: 2/4
Consequences: data reading, data creation/edition, data deletion
Provenance: intranet client
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 10/03/2009
IMPACTED PRODUCTS
– OpenSolaris
– Sun Solaris
DESCRIPTION OF THE VULNERABILITY
A NFS server has several security modes (nfssec) :
– AUTH_SYS (sec=sys) : shared files can be accessed by the user
with the same uid
– AUTH_NONE (sec=none) : shared files are "owned" by the nobody
user
Both modes can be used simultaneously with a ro/rw ACL for each
access:
sec=sys, rw=trusted_clients, sec=none, ro=other_clients
However, in this special configuration, the AUTH_SYS mode is
applied to all NFS clients.
When a NFS server uses AUTH_NONE and AUTH_SYS, an authenticated
client can therefore access to server files with the same uid.
CHARACTERISTICS
Identifiers: 253588, 6359212, BID-34063, CVE-2009-0872,
VIGILANCE-VUL-8524
http://vigilance.fr/vulnerability/Solaris-access-to-NFS-files-8524
To change your email preferences (frequency, gravity threshold, format):
https://vigilance.fr/?action=2041549901&langue=2