Note: This is an archival copy of Security Sun Alert 250306 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1019986.1.
Solaris 10 Operating System
Date of Resolved Release
A Security Vulnerability in the Solaris NFS Daemon (nfsd(1M)) May Allow Unauthorized Access to Data
A security vulnerability in the Solaris NFS server (nfsd(1M)) may grant multiple security modes to certain NFSv3 remote clients and thereby allow remote unprivileged users on those clients to gain unauthorized access to shared files.
Sun acknowledges with thanks Daniel Van Derveer, for discovering and reporting this issue.
2. Contributing Factors
This issue can occur in the following releases:
1. Solaris 8 and 9 are not impacted by this issue.
2. OpenSolaris distributions may include additional bug fixes above and beyond the build from which it was derived. The base build can be derived as follows:
$ uname -v3. Only NFS servers that support NFSv3 and multiple security modes are vulnerable to this issue. Servers that only support NFSv4 or NFSv3 with a single security mode are not vulnerable.
To determine if a system allows NFSv3 and is potentially vulnerable, the following command can be run:
$ grep NFS_SERVER_VERSMIN /etc/default/nfsIf the value of 'NFS_SERVER_VERSMIN' is less than '4', then the server is configured to use NFSv3 and may be vulnerable to this issue.
4. The NFS server (nfsd(1M)) must be configured to support multiple security modes (see share_nfs(1M)). This can be determined by running the following command:
$ share -F nfsThe reporting of at least two different "sec=" options in the output indicates that the system is configured to support multiple security modes.
There are no predictable symptoms that would indicate the described issue has occurred.
To work around this issue, there are two options:
A) Use the same access list for all security modes supported by the NFS server.
B) Allow only NFSv4 traffic to the server by editing /etc/default/nfs (see nfs(4)) and change 'NFS_SERVER_VERSMIN' to '4':
And then restart the nfs server using the following command:
$ svcadm restart svc:/network/nfs/server
Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.
This solution has no attachment