Vigil@nce: Solaris, file access via NFSv3
March 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
When NFSv3 is enabled on the server, and when several security
modes are configured, a client can access to shared files.
Gravity: 2/4
Consequences: data reading, data creation/edition
Provenance: user account
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 11/03/2009
IMPACTED PRODUCTS
– OpenSolaris
– Sun Solaris
DESCRIPTION OF THE VULNERABILITY
A NFS server has several security modes (nfssec) :
– AUTH_SYS (sec=sys) : shared files can be accessed by the user
with the same uid
– AUTH_NONE (sec=none) : shared files are "owned" by the nobody
user
– etc.
Several modes can be used simultaneously with a ro/rw ACL for each
access. For example:
sec=sys, rw=trusted_clients, sec=none, ro=other_clients
However, in this case, the NFSv3 implementation does not honour
these different ACLs.
A NFS client can therefore access to resources which should be
blocked by an ACL.
CHARACTERISTICS
Identifiers: 250306, 6763320, BID-34062, CVE-2009-0873,
VIGILANCE-VUL-8530
http://vigilance.fr/vulnerability/Solaris-file-access-via-NFSv3-8530