Описание
fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8, when there is an NFS export of a subdirectory of a filesystem, allows remote attackers to traverse to other parts of the filesystem via READDIRPLUS. NOTE: some parties argue that such a subdirectory export is not intended to prevent this attack; see also the exports(5) no_subtree_check default behavior
A flaw leak of the file handle for parent directory in the Linux kernel's NFS3 functionality was found in the way user calls READDIRPLUS. A local user could use this flaw to traverse to other parts of the file-system than mounted sub-folder.
Отчет
This flaw is rated as having Moderate impact because of the attack limitation: the user can gain more access than expected only inside NFS root mount point if already have permissions for the access to this NFS sub-folder. Also this is a known limitation of NFSv3 and there is a known and documented configuration option to avoid this. As such, this is more of an hardening rather than security issue.
Меры по смягчению последствий
When export subdirectory of a filesystem, enable subtree_check option of the NFS server for preventing possibility of accessing outside of this export.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | kernel | Out of support scope | ||
| Red Hat Enterprise Linux 7 | kernel | Out of support scope | ||
| Red Hat Enterprise Linux 7 | kernel-alt | Out of support scope | ||
| Red Hat Enterprise Linux 7 | kernel-rt | Out of support scope | ||
| Red Hat Enterprise Linux 8 | kernel | Affected | ||
| Red Hat Enterprise Linux 8 | kernel-rt | Fix deferred | ||
| Red Hat Enterprise Linux 9 | kernel | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
5.7 Medium
CVSS3
Связанные уязвимости
fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8, when there is an NFS export of a subdirectory of a filesystem, allows remote attackers to traverse to other parts of the filesystem via READDIRPLUS. NOTE: some parties argue that such a subdirectory export is not intended to prevent this attack; see also the exports(5) no_subtree_check default behavior
fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8, when there is an NFS export of a subdirectory of a filesystem, allows remote attackers to traverse to other parts of the filesystem via READDIRPLUS. NOTE: some parties argue that such a subdirectory export is not intended to prevent this attack; see also the exports(5) no_subtree_check default behavior
fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8 when there is an NFS export of a subdirectory of a filesystem allows remote attackers to traverse to other parts of the filesystem via READDIRPLUS. NOTE: some parties argue that such a subdirectory export is not intended to prevent this attack; see also the exports(5) no_subtree_check default behavior
fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8, when there is an ...
** DISPUTED ** fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8, when there is an NFS export of a subdirectory of a filesystem, allows remote attackers to traverse to other parts of the filesystem via READDIRPLUS. NOTE: some parties argue that such a subdirectory export is not intended to prevent this attack; see also the exports(5) no_subtree_check default behavior.
EPSS
5.7 Medium
CVSS3