The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Solaris: access to NFS files

Synthesis of the vulnerability 

When a NFS server uses AUTH_NONE and AUTH_SYS, an authenticated client can access to server files with the same uid.
Impacted software: OpenSolaris, Solaris.
Severity of this computer vulnerability: 2/4.
Creation date: 10/03/2009.
Références of this announce: 253588, 6359212, BID-34063, CVE-2009-0872, VIGILANCE-VUL-8524.

Description of the vulnerability 

A NFS server has several security modes (nfssec) :
 - AUTH_SYS (sec=sys) : shared files can be accessed by the user with the same uid
 - AUTH_NONE (sec=none) : shared files are "owned" by the nobody user

Both modes can be used simultaneously with a ro/rw ACL for each access:
  sec=sys, rw=trusted_clients, sec=none, ro=other_clients

However, in this special configuration, the AUTH_SYS mode is applied to all NFS clients.

When a NFS server uses AUTH_NONE and AUTH_SYS, an authenticated client can therefore access to server files with the same uid.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer threat impacts software or systems such as OpenSolaris, Solaris.

Our Vigil@nce team determined that the severity of this computer vulnerability alert is medium.

The trust level is of type confirmed by the editor, with an origin of intranet client.

An attacker with a expert ability can exploit this cybersecurity weakness.

Solutions for this threat 

Solaris: patch for NFS.
A patch is available:
  SPARC Platform
    Solaris 10 : patch 139462-02
    OpenSolaris : build snv_111
  x86 Platform
    Solaris 10 : patch 139463-02
    OpenSolaris : build snv_111
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides cybersecurity analysis. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.