Bugtraq mailing list archives
Re: CERT, about NFS
From: meister () ftp com (phil servita)
Date: Thu, 22 Dec 1994 14:41:14 -0500
I just got a CERT advisory about NFS that talks about some fairly obvious (once thought of) dangers of NFS. It advises:A. Filter packets at your firewall/router.B. Use a portmapper that disallows proxy access.C. Check the configuration of the /etc/exports files on your hosts. In particular:1. Do *not* self-reference an NFS server in its own exports file. 2. Do not allow the exports file to contain a "localhost" entry.Anyone know why these are recommended? As far as I can see, if your portmapper doesn't do proxy calls and/or you firewall out port 111, and you don't care about local attacks, neither C.1 nor C.2 will buy you anything further. Am I missing something, or are these bits of advice simply there for people who don't do A and B? der Mouse
I suspect you are correct; the standard hole uses proxy RPC calls, which appear to come from 127.0.0.1, so if you have localhost in your export files, or loopback mount filesystems to yourself, you can use a proxy call to get that root file handle. doing *either* (A and B) OR disallowing proxy calls will stop this. Best to do both anyway. Firewalling 111,2049 is fine, but having a second line of defense with the above makes sense. -phil This is all so *old* though; why a CERT warning *now*? Perhaps they waited until someones exploit program was being used too often? Piffle. I'll stop flaming now...
Current thread:
- Re: CERT, about NFS, (continued)
- Re: CERT, about NFS Leo Bicknell (Dec 22)
- Re: CERT, about NFS Oliver Friedrichs (Dec 22)
- (fwd) HP-UX 9.x: /usr/lib/expreserve creates files anywhere (fwd) Paul 'Shag' Walmsley (Dec 22)
- Re: CERT, about NFS Chris Ellwood (Dec 22)
- Re: CERT, about NFS Paul 'Shag' Walmsley (Dec 22)
- Re: CERT, about NFS Dave Mitchell (Dec 22)
- Re: CERT, about NFS Steinar Haug (Dec 22)
- Re: CERT, about NFS Bela Lubkin (Dec 22)
- Re: CERT, about NFS der Mouse (Dec 22)
- Re: CERT, about NFS Scott Schwartz (Dec 22)
- Re: CERT, about NFS phil servita (Dec 22)
- Re: CERT, about NFS Leo Bicknell (Dec 22)