Vigil@nce: Solaris, denial of service via NFSv4
July 2009 by Vigil@nce
A malicious NFS server can stop NFSv4 clients connecting to it.
Severity: 2/4
Consequences: denial of service of computer
Provenance: intranet server
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 16/07/2009
IMPACTED PRODUCTS
– OpenSolaris
– Sun Solaris
DESCRIPTION OF THE VULNERABILITY
The Solaris kernel implements a NFS client in version 4.
Patches 139466-02/139467-02 and the build snv_102 modified the
behavior of this client. When the user renames a directory
associated to a hard link, a fatal error occurs in functions:
– sv_activate() of usr/src/uts/common/fs/nfs/nfs4_shadow.c
– makenfs4node_by_fh() of usr/src/uts/common/fs/nfs/nfs4_rnode.c
An attacker can therefore create a malicious NFS server, then
invite the victim to connect in version 4, and to rename a
directory, in order to stop his computer.
CHARACTERISTICS
Identifiers: 262788, 6847540, BID-35714, CVE-2009-2488,
VIGILANCE-VUL-8871
http://vigilance.fr/vulnerability/Solaris-denial-of-service-via-NFSv4-8871