Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 373969 (CVE-2011-2500) - <net-fs/nfs-utils-1.2.6: client spoofing vulnerability (CVE-2011-2500)
Summary: <net-fs/nfs-utils-1.2.6: client spoofing vulnerability (CVE-2011-2500)
Status: RESOLVED FIXED
Alias: CVE-2011-2500
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://marc.info/?l=linux-nfs&m=13087...
Whiteboard: A4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-07-03 23:46 UTC by Tim Sammut (RETIRED)
Modified: 2013-08-22 09:49 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2011-07-03 23:46:38 UTC
From $URL:

This bug is exploitable via the following scenario and could allow an
attacker access to data that they shouldn't be able to access.

    Suppose you export a filesystem to some subnet or FQDN and also to a
    wildcard or netgroup, and I know the details of this (maybe
    showmount -e tells me) Suppose further that I can get IP packets to
    your server..

    Then I create a reverse mapping for my ipaddress to a domain that I
    own, say "black.hat.org", and a forward mapping from that domain to
    my IP address, and one of your IP addresses.

    Then I try to mount your filesystem.  The IP address gets correctly
    mapped to "black.hat.org" and then mapped to both my IP address and
    your IP address.

    Then you search through all of your exports and find that one of the
    addresses: yours - is allowed to access the filesystem.

    So you create an export based on the addrinfo you have which allows
    my IP address the same access as your IP address.

Fix this by instead using the forward lookup of the hostname just to
verify that the original address is in the list. Then do a numeric
lookup using the address and stick the hostname in the ai_canonname.
Comment 1 SpanKY gentoo-dev 2013-03-24 20:23:41 UTC
this fix is in nfs-utils-1.2.6 which is in stable now
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2013-04-08 23:21:48 UTC
GLSA vote: no.
Comment 3 Sergey Popov gentoo-dev 2013-08-22 09:49:35 UTC
GLSA vote: no

Closing as noglsa