Allele Security Intelligence - ASA-2018-00062 – FreeBSD: Missing validation in nfsrvd

Allele Security Alert

ASA-2018-00062

Identifier(s)

ASA-2018-00062, FreeBSD-SA-18:13.nfs, CVE-2018-17158, CVE-2018-17159

Title

Missing validation in nfsrvd_readdirplus()

Vendor(s)

The FreeBSD Project

Product(s)

FreeBSD

Affected version(s)

All supported versions of FreeBSD

Fixed version(s)

stable/11, 11.2-STABLE

releng/11.2, 11.2-RELEASE-p5

Proof of concept

Unknown

Description

Insufficient and improper checking in the NFS server code could cause a denial of service or possibly remote code execution via a specially crafted network packet.

Technical details

Missing validation checking for the dircount hint argument to NFSv3’s ReaddirPlus and NFSv4’s Readdir operations. The code checked for a zero argument, but did not check for a very large value. This patch clips dircount at the server’s maximum data size.

File: sys/fs/nfsserver/nfs_nfsdport.c
---
2059 int
2060 nfsrvd_readdirplus(struct nfsrv_descript *nd, int isdgram,
2061 struct vnode *vp, struct thread *p, struct nfsexstuff *exp)
2062 {
...
2110 + * Since the size of a Readdirplus directory entry reply will always
2111 + * be greater than a directory entry returned by VOP_READDIR(), it
2112 + * does not make sense to read more than NFS_SRVMAXDATA() via
2113 + * VOP_READDIR().
2114 */
2115 if (siz <= 0)
2116 siz = cnt;
2117 + else if (siz > NFS_SRVMAXDATA(nd))
2118 + siz = NFS_SRVMAXDATA(nd);
...
---

Credits

Jakub Jirasek (Flexera)

Reference(s)

Multiple vulnerabilities in NFS server code
https://www.freebsd.org/security/advisories/FreeBSD-SA-18:13.nfs.asc

FreeBSD Security Advisory FreeBSD-SA-18:13.nfs
https://seclists.org/bugtraq/2018/Nov/48

Log of /stable/11
https://svnweb.freebsd.org/base/stable/11/?view=log&pathrev=340854

CVE-2018-17158
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17158

CVE-2018-17158
https://nvd.nist.gov/vuln/detail/CVE-2018-17158

CVE-2018-17159
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17159

CVE-2018-17159
https://nvd.nist.gov/vuln/detail/CVE-2018-17159

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 7, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.

ASA-2018-00062 – FreeBSD: Missing validation in nfsrvd_readdirplus()

Allele Security Alert

ASA-2018-00062

Identifier(s)

Title

Vendor(s)

Product(s)

Affected version(s)

Fixed version(s)

Proof of concept

Description

Technical details

Credits

Reference(s)

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.

Like this:

Related

Allele Security Alert

ASA-2018-00062

Identifier(s)

Title

Vendor(s)

Product(s)

Affected version(s)

Fixed version(s)

Proof of concept

Description

Technical details

Credits

Reference(s)

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.

Share this:

Like this:

Related