FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

nfs -- remote denial of service

Affected systems
6.0 < FreeBSD < 6.0_5
5.4 < FreeBSD < 5.4_12
5.3 < FreeBSD < 5.3_27
4.11 < FreeBSD < 4.11_15
4.10 < FreeBSD < 4.10_21

Details

VuXML ID 6111ecb8-b20d-11da-b2fb-000e0c2e438a
Discovery 2006-03-01
Entry 2006-03-12
Modified 2006-06-09

Problem description:

A part of the NFS server code charged with handling incoming RPC messages via TCP had an error which, when the server received a message with a zero-length payload, would cause a NULL pointer dereference which results in a kernel panic. The kernel will only process the RPC messages if a userland nfsd daemon is running.

Impact:

The NULL pointer deference allows a remote attacker capable of sending RPC messages to an affected FreeBSD system to crash the FreeBSD system.

Workaround:

  1. Disable the NFS server: set the nfs_server_enable variable to "NO" in /etc/rc.conf, and reboot.

    Alternatively, if there are no active NFS clients (as listed by the showmount(8) utility), simply killing the mountd and nfsd processes should suffice.

  2. Add firewall rules to block RPC traffic to the NFS server from untrusted hosts.

References

CVE Name CVE-2006-0900
FreeBSD Advisory SA-06:10.nfs