LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Solaris / OpenSolaris (https://www.linuxquestions.org/questions/solaris-opensolaris-20/)
-   -   Solaris 10 "NFS Share User Mountable" Nessus vulnerability (https://www.linuxquestions.org/questions/solaris-opensolaris-20/solaris-10-nfs-share-user-mountable-nessus-vulnerability-773214/)

AlucardZero 12-03-2009 09:41 AM
Solaris 10 "NFS Share User Mountable" Nessus vulnerability
 
I need to fix the following Nessus vulnerability (odd punctuation sic) -

Quote:
Synopsis :;;It is possible to access the remote NFS shares without having root privileges.;;Description :;;Some of the NFS shares exported by the remote server could be;mounted by the scanning host. An attacker may exploit this problem;to gain read (and possibly write) access to files on remote host.;;Note that root privileges were not required to mount the remote shares. That is,;the source port to mount the shares was bigger than 1024.;;Solution :;;Configure NFS on the remote host so that only authorized hosts can mount;the remote shares.;;The remote NFS server should prevent mount requests originating from a non-privileged port.;;Risk factor :;;High / CVSS Base Score : 7.5;(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P);;Plugin output :;;The following NFS shares could be mounted without root privileges: [etc]
I have a
Code:
SunOS av1 5.10 Generic_141414-02 sun4u sparc SUNW,Sun-Fire-V445
.

My Googling has revealed the "nfs_portmon" option, so at the end of /etc/system I have
Code:
set nfssrv:nfs_portmon = 1
and the server has been rebooted, and it's taken effect:
Code:
$ sudo adb -k
physmem fb35d
nfs_portmon /D
nfs_portmon:
nfs_portmon:    1
yet mountd is still not on a reserved port:
Code:
$ rpcinfo -p | grep mountd
    100005    1  udp  32797  mountd
    100005    1  tcp  32783  mountd
    100005    2  udp  32797  mountd
    100005    2  tcp  32783  mountd
    100005    3  udp  32797  mountd
    100005    3  tcp  32783  mountd
and subsequent scans still return the same thing.

Where am I going wrong?

scoban 12-04-2009 02:15 AM
You have to modify share options by giving necessary permissions to necessary hosts. For example to give rw access to 192.168.1.1 host:

Code:
share -F nfs -o rw=192.168.1.1 /export/home/scoban
I do not know if it gives any advantages starting the mount daemon with <1024 ports...

AlucardZero 12-09-2009 09:13 AM
Not sure restricting to certain clients is an option, as this Very Important Server's NFS exports are mounted by employees worldwide.

Anyway, this post seems to indicate that I can't do this in Solaris 10 either, but I don't know where to find the RFE to check. I searched Google and Sunsolve (after logging in, and yep we have a support contract) but couldn't find it.

jlliagre 12-09-2009 07:00 PM
After trying to understand the poorly worded problem description, it seems to me the risk factor is not that much due to using a reserved port or not but more to sharing a file system to anyone. Implementing the "-p port" option wouldn't really solve that issue as I suspect you haven't any way to prevent a user to be root on its own machine worldwide.
If you want a strong security model with NFS, you might want to force NFSv4 (NFS_SERVER_VERSMIN=4 in /etc/default/nfs).


All times are GMT -5. The time now is 03:50 PM.