-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===============================================================================
>>                                                      CERT-NL, 01-Mar-2000 <<
>> All CERT-NL information has been moved to http://cert.surfnet.nl.  Links  <<
>> to CERT-NL information contained in this advisory are therefore outdated. <<
>>                                                                           <<
>> CERT-NL also has stopped the CERT-CC-Mirror service.  Due to this the     <<
>> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the  <<
>> complete CERT-CC advisory texts:                     http://www.cert.org  <<
===============================================================================
=============================================================================
Security Advisory                                                     CERT-NL
=============================================================================
Author/Source : CERT-NL (Erik-Jan Bos)                      Index  :  S-94-23
Distribution  : World                                       Page   :        1
Classification: External                                    Version:    Final
Subject       : NFS Vulnerabilities                         Date   :20-Dec-94
=============================================================================


CERT-NL has received information that an increase in the number of
reports of root compromises caused by intruders using tools to exploit
a number of NFS (Network File System) vulnerabilities is occurring.

CERT-NL recommends limiting your exposure to these attacks by
implementing the security measures described in Section III below.

- -----------------------------------------------------------------------------

I.   Description

     There are tools being used by intruders to exploit a number of NFS
     vulnerabilities. These tools are widely available and widely distributed.

II.  Impact

     The impact varies depending on which vulnerabilities are present.
     In the worst case, intruders gain unauthorized root access from a
     remote host.

III. Security Measures

     A. Filter packets at your firewall/router.  
        Filter TCP port 111, UDP port 111 (portmapper), TCP port 2049, 
        and UDP port 2049 (nfsd). Consult your vendor or your firewall
        documentation for detailed instructions on how to configure these
        ports.

        This measure will prevent access to NFS at your site from outside
        your firewall, but it will not protect you from attacks launched from
        your local network, behind your firewall. 
        
     B. Use a portmapper that disallows proxy access.
        Be sure that you do this for every host that runs a portmapper.
        For Solaris, 2.x, use a version of rpcbind that disallows proxy
        access.

        A portmapper that disallows proxy access protects all hosts with the
        modified portmapper from attacks that originate either inside or
        outside your firewall. Because this security measure addresses only
        the portmapper vulnerability, we recommend combining it with
        measure A above. 

        Wietse Venema has developed a portmapper that disallows proxy access.
        It is available by anonymous FTP from 

             ftp.win.tue.nl:/pub/security/portmap_3.shar.Z
             info.cert.org:/pub/tools/nfs_tools/portmap_3.shar.Z
        
             MD5 checksum: f6a3ad98772e7a402ddcdac277adc4a6

         For Solaris systems, Venema has developed a version of rpcbind that
         does not allow proxy access. Solaris users should install this
         program, not the portmapper. Rpcbind is available by anonymous FTP
         from the same sites as the portmapper: 

            ftp.win.tue.nl:/pub/security/rpcbind_1.1.tar.Z
            info.cert.org:/pub/tools/nfs_tools/rpcbind_1.1.tar.Z

            MD5 checksum:  58437adcbea0a55e37d3a3211f72c08b
            
     C. Check the configuration of the /etc/exports files on your hosts.
        In particular:

         1. Do *not* self-reference an NFS server in its own exports file.
 
         2. Do not allow the exports file to contain a "localhost" entry.

         3. Export file systems only to hosts that require them.

         4. Export only to fully qualified hostnames.

         5. Ensure that export lists do not exceed 256 characters.
            If you have aliases, the list should not exceed 256 characters
            *after* the aliases have been expanded.                    
            (See CA-94:02.REVISED.SunOS.rpc.mountd.vulnerability.)

         6. Use the showmount(8) utility to check that exports are correct.

         7. Wherever possible, mount file systems to be exported read only and
            export file systems read only.

      D. Ensure that your systems are current with patches and workarounds
         available from your vendor and identified in CERT advisories.

         The following advisories address problems related to NFS:
             CA-91:21.SunOS.NFS.Jumbo.and.fsirand
             CA-92:12.REVISED.SunOS.rpc.mountd.vulnerability
             CA-92:15.Multiple.SunOS.vulnerabilities.patches
             CA-93:15.SunOS.and.Solaris.vulnerabilities
             CA-94:02.REVISED.SunOS.rpc.mountd.vulnerability

         When you ftp to info.cert.org for advisories, also check 
         for README files, which contain updates or clarifications.
 
         Vendors may have additional patches not covered by a CERT
         advisory, so be sure to contact your vendor for further information.

- ---------------------------------------------------------------------------
CERT-NL thanks CERT Coordination Center for bringing this information
to our attention and for providing large parts of the text of this
Bulletin.

The CERT Coordination Center thanks Steve Bellovin, Casper Dik,
Leendert van Doorn, and Wietse Venema for their support in responding
to this problem.
- ---------------------------------------------------------------------------


==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).

All CERT-NL material is available under:
  http://cert.surfnet.nl/

In case of computer or network security problems please contact your local
CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet customer
please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).

   Email:     cert-nl@surfnet.nl     ATTENDED REGULARLY ALL DAYS
   Phone:     +31 302 305 305        BUSINESS HOURS ONLY
   Fax:       +31 302 305 329        BUSINESS HOURS ONLY
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands

NOODGEVALLEN:    06 22 92 35 64      ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 22 92 35 64      ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
===============================================================================

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i

iQA/AwUBOL6WGjSYjBqwfc9jEQKWHACgnGE1ihLKIWb+dlbNuUr6Q3QSaAoAoLBw
hkCxXHFhFHVMUsUPIufmrcLj
=dn7W
-----END PGP SIGNATURE-----