Category
Security
Release Phase
Resolved
Bug Id
6378538
ProductSolaris 10 Operating System
Date of Resolved Release18-Aug-2008
Denial of Service Vulnerability in NFSv4 Client Kernel Module:
1. Impact
A security vulnerability in the NFSv4 client kernel module may allow a
local unprivileged user who cooperates with a remote privileged user on
an NFSv4 server to be able to cause all NFSv4 mounts on client systems
which have an NFSv4 mount of the above NFSv4 server to become
unresponsive. This is a type of Denial of Service (DoS).
2. Contributing Factors
This issue can occur in the following releases:
SPARC Platform
- Solaris 10 without patch 137111-05
- OpenSolaris based upon builds snv_01 through snv_36
x86 Platform
- Solaris 10 without patch 137112-05
- OpenSolaris based upon builds snv_01 through snv_36
Note 1: Solaris 8 and 9 are not
impacted by this issue.
Note 2: To determine what
version of NFS an NFS mount is using the nfsstat(1M) command can be
used:
$ nfsstat -m /mnt/point
Flags: vers=4,proto=tcp,sec=sys,hard,intr,link,symlink,acl,rsize=1048576,wsize=1048576,retrans=10,timeo=600
Attr cache: acregmin=3,acregmax=60,acdirmin=30,acdirmax=60
The number after the "vers=" string indicates the version of NFS in use
for the mounted file system.
Note 3: This issue only
affects NFS environments where NFSv4 is in use as well as
automountd(1M). Solaris 10 and later NFS clients and servers
default to NFSv4. This is configurable by editing the
/etc/default/nfs file (see nfs(4)).
To determine if the autofs mount/unmount daemon is enabled, the
following command can be run:
$ svcs svc:/system/filesystem/autofs:default
STATE STIME FMRI
online Aug_07 svc:/system/filesystem/autofs:default
Note 4: OpenSolaris
distributions may include additional bug fixes above and beyond the
build from which it was derived.
To determine the base build of OpenSolaris, the following command
can be used:
$ uname -v
snv_86
3. Symptoms
If the described issue is exploited, all NFSv4 mounts on systems which
have an NFSv4 mount on an NFSv4 server which has been compromised will
become unresponsive. Depending on the file system configuration, this
may lead to a system hang.
4. Workaround
To work around the described issue, NFS client systems can be
configured not to use NFSv4 by setting "NFS_CLIENT_VERSMAX=3" in
"/etc/default/nfs". Please refer to nfs(4) documentation.
5. Resolution
This issue is resolved in the following releases:
SPARC Platform
- Solaris 10 with patch 137111-05 or later
- OpenSolaris based upon builds snv_37 or later
x86 Platform
- Solaris 10 with patch 137112-05 or later
- OpenSolaris based upon builds snv_37 or later
For more information
on Security Sun Alerts, see 1009886.1.
This Sun Alert notification is being provided to you on
an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU
ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT
OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This
Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.
Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle,
Santa
Clara, CA 95054 U.S.A. All rights reserved.References
137111-05
137112-05
AttachmentsThis solution has no attachment