Allele Security Alert
ASA-2018-00063
Identifier(s)
ASA-2018-00063, FreeBSD-SA-18:13.nfs, CVE-2018-17157
Title
Missing sanity check in nfsrvd_compound()
Vendor(s)
The FreeBSD Project
Product(s)
FreeBSD
Affected version(s)
All supported versions of FreeBSD.
Fixed version(s)
stable/11, 11.2-STABLE
releng/11.2, 11.2-RELEASE-p5
Proof of concept
Unknown
Description
Insufficient and improper checking in the NFS server code could cause a denial of service or possibly remote code execution via a specially crafted network packet.
Technical details
The function nfsrvd_compound() started statistics gathering for an operation before the operation number (the variable called “op”) was sanity checked.
File: sys/fs/nfsserver/nfs_nfsdsocket.c
---
621 static void
622 nfsrvd_compound(struct nfsrv_descript *nd, int isdgram, u_char *tag,
623 int taglen, u_int32_t minorvers, NFSPROC_T *p)
624 {
...
766 *repp = *tl; *repp = *tl;
767 op = fxdr_unsigned(int, *tl);
768 NFSD_DEBUG(4, "op=%d\n", op);
- binuptime(&start_time);
- nfsrvd_statstart(op, &start_time);
- statsinprog = 1;
769 if (op < NFSV4OP_ACCESS ||
770 (op >= NFSV4OP_NOPS && (nd->nd_flag & ND_NFSV41) == 0) ||
771 (op >= NFSV41_NOPS && (nd->nd_flag & ND_NFSV41) != 0)) {
...
777 } else {
778 repp++;
779 }
780
781 + binuptime(&start_time);
782 + nfsrvd_statstart(op, &start_time);
783 + statsinprog = 1;
784
785 if (i == 0)
786 op0 = op;
787 if (i == numops - 1)
...
---
Credits
Jakub Jirasek (Flexera)
Reference(s)
Multiple vulnerabilities in NFS server code
https://www.freebsd.org/security/advisories/FreeBSD-SA-18:13.nfs.asc
FreeBSD Security Advisory FreeBSD-SA-18:13.nfs
https://seclists.org/bugtraq/2018/Nov/48
Log of /stable/11
https://svnweb.freebsd.org/base/stable/11/?view=log&pathrev=340854
CVE-2018-17157
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17157
CVE-2018-17157
https://nvd.nist.gov/vuln/detail/CVE-2018-17157
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 7, 2019