Re: CERT, about NFS

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Oliver Friedrichs: "Re: CERT, about NFS"
• Previous message: Scott Schwartz: "Re: CERT, about NFS"
• Maybe in reply to: der Mouse: "CERT, about NFS"
• Next in thread: Leo Bicknell: "Re: CERT, about NFS"

>I just got a CERT advisory about NFS that talks about some fairly
>obvious (once thought of) dangers of NFS.  It advises:
>
>>      A. Filter packets at your firewall/router.  
>
>>      B. Use a portmapper that disallows proxy access.
>
>>      C. Check the configuration of the /etc/exports files on your hosts.
>>         In particular:
>
>>          1. Do *not* self-reference an NFS server in its own exports file.
>>          2. Do not allow the exports file to contain a "localhost" entry.
>
>Anyone know why these are recommended?  As far as I can see, if your
>portmapper doesn't do proxy calls and/or you firewall out port 111, and
>you don't care about local attacks, neither C.1 nor C.2 will buy you
>anything further.  Am I missing something, or are these bits of advice
>simply there for people who don't do A and B?
>
>					der Mouse

I suspect you are correct; the standard hole uses proxy RPC calls, which
appear to come from 127.0.0.1, so if you have localhost in your export
files, or loopback mount filesystems to yourself, you can use a proxy
call to get that root file handle. doing *either* (A and B) OR
disallowing proxy calls will stop this. Best to do both anyway.

Firewalling 111,2049 is fine, but having a second line of defense with
the above makes sense.

                                           -phil

This is all so *old* though; why a CERT warning *now*? Perhaps they
waited until someones exploit program was being used too often? Piffle. 
I'll stop flaming now...

• Next message: Oliver Friedrichs: "Re: CERT, about NFS"
• Previous message: Scott Schwartz: "Re: CERT, about NFS"
• Maybe in reply to: der Mouse: "CERT, about NFS"
• Next in thread: Leo Bicknell: "Re: CERT, about NFS"