Denial of Service Vulnerability in NFSv4 Client Kernel Module


Category :Security
Release Phase :Resolved
Bug Id :6378538  
Product :Solaris 10 Operating System  
Date of Resolved Release :18-Aug-2008  

Denial of Service Vulnerability in NFSv4 Client Kernel Module:


1. Impact

A security vulnerability in the NFSv4 client kernel module may allow a local unprivileged user who cooperates with a remote privileged user on an NFSv4 server to be able to cause all NFSv4 mounts on client systems which have an NFSv4 mount of  the above NFSv4 server to become unresponsive.  This is a type of Denial of Service (DoS).

2. Contributing Factors

This issue can occur in the following releases:

SPARC Platform
  • Solaris 10 without patch 137111-05
  • OpenSolaris based upon builds snv_01 through snv_36
x86 Platform
  • Solaris 10 without patch 137112-05
  • OpenSolaris based upon builds snv_01 through snv_36
Note 1: Solaris 8 and 9 are not impacted by this issue.

Note 2: To determine what version of  NFS an NFS mount is using the nfsstat(1M) command can be used:
    $ nfsstat -m /mnt/point
    Flags: vers=4,proto=tcp,sec=sys,hard,intr,link,symlink,acl,rsize=1048576,wsize=1048576,retrans=10,timeo=600
    Attr cache: acregmin=3,acregmax=60,acdirmin=30,acdirmax=60
The number after the "vers=" string indicates the version of NFS in use for the mounted file system.

Note 3:  This issue only affects NFS environments where NFSv4 is in use as well as automountd(1M).  Solaris 10 and later NFS clients and servers default to NFSv4.  This is configurable by editing the /etc/default/nfs file (see nfs(4)).

To determine if the autofs mount/unmount daemon is enabled,  the following command can be run:
    $ svcs svc:/system/filesystem/autofs:default
    STATE          STIME    FMRI
    online         Aug_07   svc:/system/filesystem/autofs:default
Note 4:  OpenSolaris distributions may include additional bug fixes above and beyond the build from which it was derived. 

To determine the base build of  OpenSolaris, the following command can be used:
    $ uname -v
    snv_86
3. Symptoms

If the described issue is exploited, all NFSv4 mounts on systems which have an NFSv4 mount on an NFSv4 server which has been compromised will become unresponsive. Depending on the file system configuration, this may lead to a system hang.

4. Workaround

To work around the described issue, NFS client systems can be configured not to use NFSv4 by setting "NFS_CLIENT_VERSMAX=3" in "/etc/default/nfs". Please refer to nfs(4) documentation.

5. Resolution

This issue is resolved in the following releases:

SPARC Platform
  • Solaris 10 with patch 137111-05 or later
  • OpenSolaris based upon builds snv_37 or later
x86 Platform
  • Solaris 10 with patch 137112-05 or later
  • OpenSolaris based upon builds snv_37 or later

For more information on Security Sun Alerts, see Technical Instruction ID 213557.

This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements.

Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.




Attachments
This solution has no attachment
 
Sun support customers:
more support information is available after you sign in.
 
»   Login
»   Register
»   Lost UserName/Password
 
Login Required

You must login and have a valid contract to access Sun's Premium content which includes:

  • Sun Alerts
  • Bugs
  • Patches
  • Solutions
  • White Papers
  • Documentation
  • Support Knowledge

Login Required

You must login and have a valid contract to access Sun's contracted features

Access Legend:

(Login to access)   Sun Contracted Content
(Login to access)   Sun Contracted Feature

Please make use of SunSolve Feedback application by selecting the floating [+] to provide feedback about this specific document.

Search
Article Details
Article ID : 240546
Article Type : Sun Alert
Last reviewed : 2008-08-18
Audience : PUBLIC
Keywords :
Provide feedback  (help)
Page Tools
»  Print This Page
»  Email This Article
»  Bookmark This Article
Security Support
»   Security Center
»   Report Security Vulnerabilities
»   Security PGP Key
»   Sun Alert Notifications - RSS Feeds
»   Sun Alert Notifications - eNewsletter
»   Solaris Fingerprint Database
 
SunSolve Navigation
»   Forums for contracted customers
»   Licenses
»   Log a Service Request
»   Patches and Updates
»   Product Download Center
»   SunSystem Handbook
»   SunSolve Japan
SunSolve Feedback, Help and Updates
»   Blog
»   Community
»   Feedback
»   Help
»   Learn about SunSolve
»   Twitter
About Oracle | Oracle and Sun | Oracle RSS Feeds | Subscribe | Careers | Contact Us | Site Maps | Legal Notices | Terms of Use | Your Privacy Rights | Copyright © 2010, Oracle Corporation and/or its affiliates | SunSolve Version 7.4.2 #1