nfs -- remote denial of service

ID 6111ECB8-B20D-11DA-B2FB-000E0C2E438A
Type freebsd
Reporter FreeBSD
Modified 2016-08-09T00:00:00


Problem description: A part of the NFS server code charged with handling incoming RPC messages via TCP had an error which, when the server received a message with a zero-length payload, would cause a NULL pointer dereference which results in a kernel panic. The kernel will only process the RPC messages if a userland nfsd daemon is running. Impact: The NULL pointer deference allows a remote attacker capable of sending RPC messages to an affected FreeBSD system to crash the FreeBSD system. Workaround:

Disable the NFS server: set the nfs_server_enable variable to "NO" in /etc/rc.conf, and reboot. Alternatively, if there are no active NFS clients (as listed by the showmount(8) utility), simply killing the mountd and nfsd processes should suffice.

Add firewall rules to block RPC traffic to the NFS server from untrusted hosts.