Multiple vulnerabilities in FreeBSD NFS server code

FreeBSD is a free and open source operating system. The NFS (Network File System) is a server and client application that turn FreeBSD into a file sharing server. Users can upload or update files on a remote NFS server. NFS is standard on NAS (network attached storage) devices or sharing data for web servers. A new bug found in NFS server code which could allow a remote attacker to crash the NFS server, resulting in a denial of service (DoS) attack. Another possibility is to execute arbitrary code on the server.

ADVERTISEMENTS

Multiple vulnerabilities in FreeBSD NFS server code

Multiple vulnerabilities in FreeBSD NFS server code
From the mailing list:

The Network File System (NFS) allows a host to export some or all of its file systems so that other hosts can access them over the network and mount them as if they were local. FreeBSD includes both server and client implementations of NFS.

Insufficient and improper checking in the NFS server code could cause a denial of service or possibly remote code execution via a specially crafted network packet.

No workaround is available, but systems that do not provide NFS services are not vulnerable.

Additionally, it is highly recommended the NFS service port (default port number 2049) is protected via a host or network based firewall to prevent arbitrary, untrusted clients from being able to connect.

How to fix FreeBSD NFS vulnerabilities

One can patch FreeBSD using the binary method. All you have to do is type the following two commands as root user:
# uname -mrs
# freebsd-update fetch

freebsd-update to patch nfs server issue detected on Nov 28 2018

Patching FreeBSD Security Advisory FreeBSD-SA-18:13.nfs

Install the updates:
# freebsd-update install
Installing updates... done.

Once patched just reboot the FreeBSD box:
# reboot
OR
# shutdown -r now

Verification

After reboot verify that you got a new kernel. You can find out FreeBSD version and patch level number by running the following commands:
# freebsd-version
# uname -mrs

FreeBSD version and patch level
Please note that if you are using a custom kernel, you need to compile a FreeBSD kernel. The freebsd-update based binary method only works if you are using stock FreeBSD kernel.
# svn update /usr/src/
# more /usr/src/UPDATING
# cp -v /usr/src/share/examples/jails/VIMAGE /usr/src/sys/amd64/conf/VIMAGE
# cd /usr/src/
# make -j 16 KERNCONF=VIMAGE kernel
# reboot
# freebsd-verion

For more info see:

Conclusion

It is essential that you apply the patch binary or source code method to fix NFS related security issues. For more info, please see this page.

🐧 If you liked this page, please support my work on Patreon or with a donation.
🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source & DevOps topics via:
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
0 comments… add one

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.