vulnerability alert CVE-2009-2296

Solaris: bypassing nfs_portmon

Synthesis of the vulnerability

A NFSv4 client can bypass the nfs_portmon directive in order to connect to the server.

Severity: 1/4. Creation date: 02/07/2009.

Description of the vulnerability

The nfs_portmon configuration directive of the Solaris kernel requires NFS clients, which connect to the local server, to use a privileged source port number (between 512 and 1023). This directive improves the security level (requires the client to be root), but it is no sufficient in a free environment. The checkauth() function of the usr/src/uts/common/fs/nfs/nfs_server.c file checks NFS authentication, and honours nfs_portmon. However, the checkauth4() function, specific to NFSv4 and derived from checkauth(), does not contain the code checking nfs_portmon. A NFSv4 client can therefore connect to the NFS server of Solaris with a source port number superior to 1024.

Complete Vigil@nce bulletin

Access to the complete Vigil@nce bulletin

Characteristics

Title: Solaris: bypassing nfs_portmon. Keywords: 512 1023 1024 NFS NFSv4 Solaris bypassing checkauth4 nfs_portmon nfs_server. Identifiers: 262668, BID-35546, CVE-2009-2296, VIGILANCE-VUL-8836.

Information sources

Publications and announces Source example: Security Vulnerability in the Solaris Network File System Version 4 (NFSv4) 'nfs_portmon' Tunable May Allow Unauthorized Network Access

Solutions for this vulnerability

Patch or workaround

Computer vulnerabilities tracking service

The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.
The Vigil@nce vulnerability database contains several thousand vulnerabilities.
This bulletin is published by the Vigil@nce team, which tracks computer vulnerabilities impacting systems and applications.
Computer applications vulnerability