HighCheck or Attack Name: nfsmount
NFS was found to be mountable. The security of NFS relies heavily upon who is allowed to mount the files that a server exports, and whether or not they are exported read-only.
Through NFS, an attacker can gain access to files in the export directory. Some administrators purposefully export directories for everyone to be able to gain access to the data. This check attempts to mount the exports. If the attempt is successful, the check continues by trying to test for the NFS UID, NFS Mknod, and NFS cd bugs. Further, the check searches for a writable directory and reports if it finds these files: .rhosts, .cshrc, .login, .profile, or .netrc.
These files typically appear in an account's home directory. An attacker can modify the files to obtain access to the machine.
The Risk Level can range from Low to High. The type of data exported should determine the risk level. If it is a read/writable home directory, it is a high risk. If the exported directory is /cdrom, it is probably low risk.
Check the configuration of the /etc/exports on your host. Export file systems only to hosts that require them. Export only to fully qualified hostnames. Make sure export lists do not exceed 256 characters. Use the showmount utility to check that exports are correct. Wherever possible, mount file systems to be exported read only and export file systems read only.
If NFS is not needed, consider disabling it, or verify and set permissions to approved users on exported volumes or shared directories. Where possible, mount file systems to be exported read-only and export file systems read-only.
Unix: Check permissions on exported volumes using the showmount -e command. If the exported directories look like the listing that follows, anyone can use mount /usr - to possibly replace files and gain access:
/usr (everyone)
/export/hosta hosta
/export/hostb hostb
The hosta and hostb systems appear to be clients to this server. In such a case, /usr can be mounted by anyone. Instead, this access should be restricted. You should also check hosta and hostb for other security vulnerabilities. When either system is vulnerable, then so is the server.
Windows: NFS is not native to Windows, but may be present. To verify permissions:
- Open Server Manager. From the Windows NT Start menu, select Programs, Administrative Tools (Common), Server Manager.
- Select the server.
- From the Computer menu, select Shared Directories.
- Set permissions to allow access only to approved users.
Note: The Windows NT fix depends on what NFS server you are running. Refer to your NFS documentation for more information.
CERT Advisory CA-91.21, SunOS NFS Jumbo and fsirand Patches, http://www.cert.org/advisories/CA-91.21.SunOS.NFS.Jumbo.and.fsirand.html
CERT Advisory CA-92.15, Multiple SunOS Vulnerabilities Patched, http://www.cert.org/advisories/CA-92.15.Multiple.SunOS.vulnerabilities.patched.html
CERT Advisory CA-93.15 CERT Advisory CA-93.15, /usr/lib/sendmail, /bin/tar, and /dev/audio Vulnerabilities, http://www.cert.org/advisories/CA-93.15.SunOS.and.Solaris.vulnerabilities.html
CERT Advisory CA-94.02, Revised Patch for SunOS /usr/etc/rpc.mountd Vulnerability, http://www.cert.org/advisories/CA-94.02.REVISED.SunOS.rpc.mountd.vulnerability.html
CERT Advisory CA-94.15, NFS Vulnerabilities, http://www.cert.org/advisories/CA-94.15.NFS.Vulnerabilities.html
CERT Advisory CA-91.21, SunOS NFS Jumbo and fsirand Patches, ftp://info.cert.org/pub/cert_advisories/CA-91:21.SunOS.NFS.Jumbo.and.fsirand
CERT Advisory CA-92.15, Multiple SunOS Vulnerabilities Patched, ftp://info.cert.org/pub/cert_advisories/CA-92:15.Multiple.SunOS.vulnerabilities.patched
CERT Advisory CA-93.15 CERT Advisory CA-93.15, /usr/lib/sendmail, /bin/tar, and /dev/audio Vulnerabilities, ftp://info.cert.org/pub/cert_advisories/CA-93:15.SunOS.and.Solaris.vulnerabilities
CERT Advisory CA-94.02, Revised Patch for SunOS /usr/etc/rpc.mountd Vulnerability, ftp://info.cert.org/pub/cert_advisories/CA-94:02.REVISED.SunOS.rpc.mountd.vulnerability
CERT Advisory CA-94.15, NFS Vulnerabilities, ftp://info.cert.org/pub/cert_advisories/CA-94:15.NFS.Vulnerabilities
