Vigil@nce: Solaris, denial of service of NFSv4
March 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
A local attacker can create a denial of service when an HSFS file
system is shared with NFS.
Gravity: 1/4
Consequences: denial of service of computer
Provenance: user console
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 09/03/2009
IMPACTED PRODUCTS
– OpenSolaris
– Sun Solaris
DESCRIPTION OF THE VULNERABILITY
The HSFS file system is used by cdrom and dvdrom devices.
When a directory is shared by NFS, the rfs4_op_readdir() function
of the uts/common/fs/nfs/nfs4_srv_readdir.c file reads entries of
a directory and sends these information to the NFS client.
However, when the directory is located on an HSFS file system, the
rfs4_op_readdir() function does not correctly indicate that all
files in the directory have been listed. The NFS client thus
indefinitely loops, trying to reach the end of the directory.
A local attacker can therefore mount a cdrom/dvd in a NFS shared
tree in order to create a denial of service.
CHARACTERISTICS
Identifiers: 252469, 6793049, BID-34031, VIGILANCE-VUL-8522
http://vigilance.fr/vulnerability/Solaris-denial-of-service-of-NFSv4-8522