=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2009/VULN086
_____________________________________________________________________

DATE                      : 11/03/2009

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Solaris 10, OpenSolaris running nfsd.

======================================================================
http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-66-250306-1
______________________________________________________________________

   Solution Type: Sun Alert
   Solution  250306 :   A Security Vulnerability in the Solaris NFS
   Daemon (nfsd(1M)) May Allow Unauthorized Access to Data
   Bug ID: 6763320

   Product
   Solaris 10 Operating System
   OpenSolaris

   Date of Resolved Release: 09-Mar-2009

   SA Document Body
   A Security Vulnerability in the Solaris NFS Daemon (nfsd(1M)) May Allow
   Unauthorized Access to Data

   1. Impact

   A security vulnerability in the Solaris NFS server (nfsd(1M)) may
   grant multiple security modes to certain NFSv3 remote clients and
   thereby allow remote unprivileged users on those clients to gain
   unauthorized access to shared files.
   Sun acknowledges with thanks Daniel Van Derveer, for discovering and
   reporting this issue.

   2. Contributing Factors

   This issue can occur in the following releases:
   SPARC Platform
     * Solaris 10 without patch 139462-02
     * OpenSolaris based upon builds snv_01 through snv_105

   x86 Platform
     * Solaris 10 without patch 139463-02
     * OpenSolaris based upon builds snv_01 through snv_105

   Notes:
   1. Solaris 8 and 9 are not impacted by this issue.
   2. OpenSolaris distributions may include additional bug fixes above
   and beyond the build from which it was derived. The base build can be
   derived as follows:
   $ uname -v
   snv_86

   3. Only NFS servers that support NFSv3 and multiple security modes are
   vulnerable to this issue.  Servers that only support NFSv4 or NFSv3
   with a single security mode are not vulnerable.
   To determine if a system allows NFSv3 and is potentially vulnerable,
   the following command can be run:
   $ grep NFS_SERVER_VERSMIN /etc/default/nfs
   #NFS_SERVER_VERSMIN=2

   If the value of 'NFS_SERVER_VERSMIN' is less than '4', then the server
   is configured to use NFSv3 and may be vulnerable to this issue.
   4. The NFS server (nfsd(1M)) must be configured to support multiple
   security modes (see share_nfs(1M)).  This can be determined by running
   the following command:
   $ share -F nfs
   -@pool/builds   /builds/clones   sec=sys,rw=testhost,sec=krb5,rw   ""

   The reporting of at least two different "sec=" options in the output
   indicates that the system is configured to support multiple security
   modes.

   3. Symptoms

   There are no predictable symptoms that would indicate the described
   issue has occurred.

   4. Workaround

   To work around this issue, there are two options:
   A) Use the same access list for all security modes supported by the
   NFS server.
   or:
   B) Allow only NFSv4 traffic to the server by editing /etc/default/nfs
   (see nfs(4)) and change 'NFS_SERVER_VERSMIN' to '4':

   NFS_SERVER_VERSMIN=4

   And then restart the nfs server using the following command:
   $ svcadm restart svc:/network/nfs/server

   5. Resolution

   SPARC Platform
     * Solaris 10 with patch 139462-02 or later
     * OpenSolaris based upon builds snv_106 or later

   x86 Platform
     * Solaris 10 with patch 139463-02 or later
     * OpenSolaris based upon builds snv_106 or later

   For more information on Security Sun Alerts, see Technical
   Instruction ID 213557.

   This Sun Alert notification is being provided to you on an "AS IS"
   basis. This Sun Alert notification may contain information provided by
   third parties. The issues described in this Sun Alert notification may
   or may not impact your system(s). Sun makes no representations,
   warranties, or guarantees as to the information contained herein. ANY
   AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
   WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
   NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
   YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
   INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
   OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.

   This Sun Alert notification contains Sun proprietary and confidential
   information. It is being provided to you pursuant to the provisions of
   your agreement to purchase services from Sun, or, if you do not have
   such an agreement, the Sun.com Terms of Use. This Sun Alert
   notification may only be used for the purposes contemplated by these
   agreements.

   Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa
   Clara, CA 95054 U.S.A. All rights reserved

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================