FreeBSD is a free and open source operating system. The NFS (Network File System) is a server and client application that turn FreeBSD into a file sharing server. Users can upload or update files on a remote NFS server. NFS is standard on NAS (network attached storage) devices or sharing data for web servers. A new bug found in NFS server code which could allow a remote attacker to crash the NFS server, resulting in a denial of service (DoS) attack. Another possibility is to execute arbitrary code on the server.
Multiple vulnerabilities in FreeBSD NFS server code
From the mailing list:
The Network File System (NFS) allows a host to export some or all of its file systems so that other hosts can access them over the network and mount them as if they were local. FreeBSD includes both server and client implementations of NFS.
Insufficient and improper checking in the NFS server code could cause a denial of service or possibly remote code execution via a specially crafted network packet.
No workaround is available, but systems that do not provide NFS services are not vulnerable.
Additionally, it is highly recommended the NFS service port (default port number 2049) is protected via a host or network based firewall to prevent arbitrary, untrusted clients from being able to connect.
How to fix FreeBSD NFS vulnerabilities
One can patch FreeBSD using the binary method. All you have to do is type the following two commands as root user:
# uname -mrs
# freebsd-update fetch
Install the updates:
# freebsd-update install
Installing updates... done.
Once patched just reboot the FreeBSD box:
# shutdown -r now
After reboot verify that you got a new kernel. You can find out FreeBSD version and patch level number by running the following commands:
# uname -mrs
Please note that if you are using a custom kernel, you need to compile a FreeBSD kernel. The freebsd-update based binary method only works if you are using stock FreeBSD kernel.
# svn update /usr/src/
# more /usr/src/UPDATING
# cp -v /usr/src/share/examples/jails/VIMAGE /usr/src/sys/amd64/conf/VIMAGE
# cd /usr/src/
# make -j 16 KERNCONF=VIMAGE kernel
For more info see:
- How to update source tree at /usr/src using svn on FreeBSD
- How to configure a FreeBSD 11.x Jail with vnet and ZFS
It is essential that you apply the patch binary or source code method to fix NFS related security issues. For more info, please see this page.