Multiple vulnerabilities in FreeBSD NFS server code

FreeBSD is a free and open source operating system. The NFS (Network File System) is a server and client application that turn FreeBSD into a file sharing server. Users can upload or update files on a remote NFS server. NFS is standard on NAS (network attached storage) devices or sharing data for web servers. A new bug found in NFS server code which could allow a remote attacker to crash the NFS server, resulting in a denial of service (DoS) attack. Another possibility is to execute arbitrary code on the server.

Multiple vulnerabilities in FreeBSD NFS server code


From the mailing list:

The Network File System (NFS) allows a host to export some or all of its file systems so that other hosts can access them over the network and mount them as if they were local. FreeBSD includes both server and client implementations of NFS.

Insufficient and improper checking in the NFS server code could cause a denial of service or possibly remote code execution via a specially crafted network packet.

No workaround is available, but systems that do not provide NFS services are not vulnerable.

Additionally, it is highly recommended the NFS service port (default port number 2049) is protected via a host or network based firewall to prevent arbitrary, untrusted clients from being able to connect.

How to fix FreeBSD NFS vulnerabilities

One can patch FreeBSD using the binary method. All you have to do is type the following two commands as root user:
# uname -mrs
# freebsd-update fetch

Patching FreeBSD Security Advisory FreeBSD-SA-18:13.nfs

Install the updates:
# freebsd-update install
Installing updates... done.

Once patched just reboot the FreeBSD box:
# reboot
OR
# shutdown -r now

Verification

After reboot verify that you got a new kernel. You can find out FreeBSD version and patch level number by running the following commands:
# freebsd-version
# uname -mrs


Please note that if you are using a custom kernel, you need to compile a FreeBSD kernel. The freebsd-update based binary method only works if you are using stock FreeBSD kernel.
# svn update /usr/src/
# more /usr/src/UPDATING
# cp -v /usr/src/share/examples/jails/VIMAGE /usr/src/sys/amd64/conf/VIMAGE
# cd /usr/src/
# make -j 16 KERNCONF=VIMAGE kernel
# reboot
# freebsd-verion

For more info see:

Conclusion

It is essential that you apply the patch binary or source code method to fix NFS related security issues. For more info, please see this page.


🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 0 comments... add one

CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
0 comments… add one

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum