HighCheck or Attack Name: nfscd
The NFS CD command allows access to files that were not exported. Some older mount daemons are supposed to restrict a client machine's access to a certain server directory. Instead, the client can gain full access to the rest of the server's file system.
The original NFS implementation using cd .. on an exported file system (where the exported file is not the physical root) provides you with the parent directory handle even if it was not exported. This is particularly worrisome on diskless clients where you have root access to your own NFS mounted root, but also to all other physical directories above and below the mounted root (for example, the root file systems of other workstations).
Contact your vendor for a patch. For specific patches, see the CERT Advisories listed in the References.
Sun users should also see Patch IDs 100173-13. All Sun patches are available from SunSolve Online Public Patch Access at http://sunsolve.sun.com/sunsolve/pubpatches/patches.html.
CERT Advisory CA-91.21, NFS Jumbo and fsirand Patches, http://www.cert.org/advisories/CA-91.21.SunOS.NFS.Jumbo.and.fsirand.html
CERT Advisory CA-91.21, NFS Jumbo and fsirand Patches, http://www.cert.org/ftp/cert_advisories/CA-91%3a21.SunOS.NFS.Jumbo.and.fsirand
CERT Advisory CA-92.15, Multiple SunOS Vulnerabilities Patched, http://www.cert.org/advisories/CA-92.15.Multiple.SunOS.vulnerabilities.patched.html
CERT Advisory CA-92.15, Multiple SunOS Vulnerabilities Patched, http://www.cert.org/ftp/cert_advisories/CA-92%3a15.Multiple.SunOS.vulnerabilities.patched
CERT Advisory CA-93.15, /usr/lib/sendmail, /bin/tar, and /dev/audio Vulnerabilities, http://www.cert.org/advisories/CA-93.15.SunOS.and.Solaris.vulnerabilities.html
CERT Advisory CA-93.15, /usr/lib/sendmail, /bin/tar, and /dev/audio Vulnerabilities, http://www.cert.org/ftp/cert_advisories/CA-93%3a15.SunOS.and.Solaris.vulnerabilities
CERT Advisory CA-94.02, Revised Patch for SunOS /usr/etc/rpc.mountd Vulnerability, http://www.cert.org/advisories/CA-94.02.REVISED.SunOS.rpc.mountd.vulnerability.html
CERT Advisory CA-94.02, Revised Patch for SunOS /usr/etc/rpc.mountd Vulnerability, http://www.cert.org/ftp/cert_advisories/CA-94%3a02.REVISED.SunOS.rpc.mountd.vulnerability
CERT Advisory CA-94.15, NFS Vulnerabilities, http://www.cert.org/advisories/CA-94.15.NFS.Vulnerabilities.html
CERT Advisory CA-94.15, NFS Vulnerabilities, http://www.cert.org/ftp/cert_advisories/CA-94%3a15.NFS.Vulnerabilities
