From security-advisories@freebsd.org Tue Aug 6 21:20:00 2002 From: FreeBSD Security Advisories To: Bugtraq Date: Mon, 5 Aug 2002 16:50:07 -0700 (PDT) Subject: FreeBSD Security Advisory FreeBSD-SA-02:36.nfs -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-02:36.nfs Security Advisory The FreeBSD Project Topic: Bug in NFS server code allows remote denial of service Category: core Module: nfs Announced: 2002-08-05 Credits: Mike Junk Affects: All releases prior to 4.6.1-RELEASE-p7 4.6-STABLE prior to the correction date Corrected: 2002-07-19 17:19:53 UTC (RELENG_4) 2002-08-01 19:31:55 UTC (RELENG_4_6) 2002-08-01 19:31:54 UTC (RELENG_4_5) 2002-08-01 19:31:54 UTC (RELENG_4_4) FreeBSD only: NO I. Background The Network File System (NFS) allows a host to export some or all of its filesystems, or parts of them, so that other hosts can access them over the network and mount them as if they were on local disks. NFS is built on top of the Sun Remote Procedure Call (RPC) framework. II. Problem Description A part of the NFS server code charged with handling incoming RPC messages had an error which, when the server received a message with a zero-length payload, would cause it to reference the payload from the previous message, creating a loop in the message chain. This would later cause an infinite loop in a different part of the NFS server code which tried to traverse the chain. III. Impact Certain Linux implementations of NFS produce zero-length RPC messages in some cases. A FreeBSD system running an NFS server may lock up when such clients connect. An attacker in a position to send RPC messages to an affected FreeBSD system can construct a sequence of malicious RPC messages that cause the target system to lock up. IV. Workaround 1) Disable the NFS server: set the nfs_server_enable variable to "NO" in /etc/rc.conf, and reboot. Alternatively, if there are no active NFS clients (as listed by the showmount(8) utility), just killing the mountd and nfsd processes should suffice. 2) Add firewall rules to block RPC traffic to the NFS server from untrusted hosts. V. Solution The following patch has been verified to apply to FreeBSD 4.4, 4.5, and 4.6 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:36/nfs.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:36/nfs.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel and modules as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Path Revision Branch - ------------------------------------------------------------------------- src/sys/nfs/nfs_socket.c RELENG_4 1.60.2.5 RELENG_4_6 1.60.2.3.2.1 RELENG_4_5 1.60.2.1.6.1 RELENG_4_4 1.60.2.3.4.1 - ------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBPU8NTVUuHi5z0oilAQHMZAP+L80QudeELKHfZYxG5PPf6cuWkreACavl LP1oJDHLWuw32K4tM0Y+v505t+U2/wGnl2dSqwkfemzxlhzfsmrbubQx8EFgO6sb nhEEtSfu4t81ylHTY+qEWFtRweB5A1tGJaYV67wybWZxulkYJ9qnRLKF4PToc0E3 T1Y/CN0DNYA= =2YSa -----END PGP SIGNATURE-----