Multiple Vendor NFS Exported Share Information Disclosure

1985-01-01T00:00:00
ID OSVDB:339
Type osvdb
Reporter OSVDB
Modified 1985-01-01T00:00:00

Description

Vulnerability Description

Multiple Vendors ship with the ability to use the Network File System (NFS) for sharing drives between computers. By default, many of these implementations have little or no security that protects the contents of the shared drives. Due to administrative oversight, drives are also frequently shared without care or thought as to the amount of information available. Rather than sharing a single directory, the entire drive (including sensitive system files) may become available to remote users. In other cases, drives are shared with insecure permissions allowing anyone to mount them, read the files, as well as write or delete files.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Maintain a good security policy for NFS exported drives. Use as many technical controls as possible to restrict access to the drives, and/or require some form of authentication.

Short Description

Multiple Vendors ship with the ability to use the Network File System (NFS) for sharing drives between computers. By default, many of these implementations have little or no security that protects the contents of the shared drives. Due to administrative oversight, drives are also frequently shared without care or thought as to the amount of information available. Rather than sharing a single directory, the entire drive (including sensitive system files) may become available to remote users. In other cases, drives are shared with insecure permissions allowing anyone to mount them, read the files, as well as write or delete files.

References:

Generic Informational URL: http://www.tldp.org/HOWTO/NFS-HOWTO/security.html Generic Informational URL: http://www.faqs.org/rfcs/rfc1094.html CVE-1999-0554