Severity: 1/4

Consequences: data reading

Provenance: intranet client

Means of attack: no proof of concept, no attack

Ability of attacker: expert (4/4)

Confidence: confirmed by the editor (5/5)

Diffusion of the vulnerable configuration: high (3/3)

Creation date: 02/07/2009

IMPACTED PRODUCTS

 OpenSolaris

 Sun Solaris

DESCRIPTION OF THE VULNERABILITY

The nfs_portmon configuration directive of the Solaris kernel requires NFS clients, which connect to the local server, to use a privileged source port number (between 512 and 1023). This directive improves the security level (requires the client to be root), but it is no sufficient in a free environment.

The checkauth() function of the usr/src/uts/common/fs/nfs/nfs_server.c file checks NFS authentication, and honours nfs_portmon. However, the checkauth4() function, specific to NFSv4 and derived from checkauth(), does not contain the code checking nfs_portmon.

A NFSv4 client can therefore connect to the NFS server of Solaris with a source port number superior to 1024.

CHARACTERISTICS

Identifiers: 262668, BID-35546, VIGILANCE-VUL-8836

http://vigilance.fr/vulnerability/Solaris-bypassing-nfs-portmon-8836