Mountd Exploit

Overview:

NFS is a distributed file system in which clients make use of file systems provided by servers. There is a vulnerability in some implementations of the software that NFS servers use to log requests to use file systems.

When a client makes a request to use a file system and subsequently makes that file system available as a local resource, the client is said to "mount" the file system. The vulnerability lies in the software on the NFS server that handles requests to mount file systems. This software is usually called "mountd", "rpc.mountd, or nfsd."

Intruders who exploit the vulnerability are able to gain administrative access to the vulnerable NFS file server. That is, they can do anything the system administrator can do. This vulnerability can be exploited remotely and does not require an account on the target machine.

On some vulnerable systems, the mountd software is installed and enabled by default.

Description

NFS is used to share files among different computers over the network using a client/server paradigm. When an NFS client computer wishes to access files on an NFS server, the client must first make a request to mount the file system. There is a vulnerability in some implementations of the software that handles NFS mount requests (the mountd program). Specifically, it is possible for an intruder to overflow a buffer in the area of code responsible for logging NFS activity.

We have received reports indicating that intruders are actively using this vulnerability to compromise systems and are engaging in large-scale scans to locate vulnerable systems.

On some systems, the vulnerable NFS server is enabled by default.

Impact

After causing a buffer overflow, a remote intruder can use the resulting condition to execute arbitrary code with root privileges.

Solution

Install a vendor patch.

Consider disabling NFS until you are able to install the patch. In particular, since some systems have vulnerable versions of mountd installed and enabled by default, we recommend you disable mountd on those systems unless you are actively using those systems as NFS servers.