FreeBSD is a free and open source operating system. The NFS (Network File System) is a server and client application that turn FreeBSD into a file sharing server. Users can upload or update files on a remote NFS server. NFS is standard on NAS (network attached storage) devices or sharing data for web servers. A new bug found in NFS server code which could allow a remote attacker to crash the NFS server, resulting in a denial of service (DoS) attack. Another possibility is to execute arbitrary code on the server.

Multiple vulnerabilities in FreeBSD NFS server code

Multiple vulnerabilities in FreeBSD NFS server code
From the mailing list:

The Network File System (NFS) allows a host to export some or all of its file systems so that other hosts can access them over the network and mount them as if they were local. FreeBSD includes both server and client implementations of NFS.

Insufficient and improper checking in the NFS server code could cause a denial of service or possibly remote code execution via a specially crafted network packet.

No workaround is available, but systems that do not provide NFS services are not vulnerable.

Additionally, it is highly recommended the NFS service port (default port number 2049) is protected via a host or network based firewall to prevent arbitrary, untrusted clients from being able to connect.

How to fix FreeBSD NFS vulnerabilities

One can patch FreeBSD using the binary method. All you have to do is type the following two commands as root user:
# uname -mrs
# freebsd-update fetch

freebsd-update to patch nfs server issue detected on Nov 28 2018
Patching FreeBSD Security Advisory FreeBSD-SA-18:13.nfs

Install the updates:
# freebsd-update install
Installing updates... done.

Once patched just reboot the FreeBSD box:
# reboot
OR
# shutdown -r now

Verification

After reboot verify that you got a new kernel. You can find out FreeBSD version and patch level number by running the following commands:
# freebsd-version
# uname -mrs

FreeBSD version and patch level
Please note that if you are using a custom kernel, you need to compile a FreeBSD kernel. The freebsd-update based binary method only works if you are using stock FreeBSD kernel.
# svn update /usr/src/
# more /usr/src/UPDATING
# cp -v /usr/src/share/examples/jails/VIMAGE /usr/src/sys/amd64/conf/VIMAGE
# cd /usr/src/
# make -j 16 KERNCONF=VIMAGE kernel
# reboot
# freebsd-verion

For more info see:

Conclusion

It is essential that you apply the patch binary or source code method to fix NFS related security issues. For more info, please see this page.

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

Similar Posts