Subject: NetBSD Security Advisory 2002-013: Bug in NFS server code allows remote denial of service
To: None <tech-security@netbsd.org, current-users@netbsd.org>
From: NetBSD Security Officer <security-officer@netbsd.org>
List: current-users
Date: 09/17/2002 12:30:28
-----BEGIN PGP SIGNED MESSAGE-----


		 NetBSD Security Advisory 2002-013
		 =================================

Topic:		Bug in NFS server code allows remote denial of service

Version:	NetBSD-current:	source prior to Aug 3, 2002
		NetBSD 1.6 beta: source prior to Aug 3, 2002
		NetBSD-1.5.3:	affected
		NetBSD-1.5.2:	affected
		NetBSD-1.5.1:	affected
		NetBSD-1.5:	affected
		NetBSD-1.4.*:	affected

Severity:	remote denial of service

Fixed:		NetBSD-current:		Aug 3, 2002
		NetBSD-1.6 branch:	Aug 3, 2002 (1.6 includes the fix)
		NetBSD-1.5 branch:	September 5, 2002
		NetBSD-1.4 branch:	not yet


Abstract
========

The Network File System (NFS) allows a host to export some or all of
its filesystems, or parts of them, so that other hosts can access them
over the network and mount them as if they were on local disks.  NFS is
built on top of the Sun Remote Procedure Call (RPC) framework.

An attacker in a position to send RPC messages to an affected NetBSD
system can construct a sequence of malicious RPC messages that cause
the target system to lock up.


Technical Details
=================

A part of the NFS server code charged with handling incoming RPC
messages had an error which, when the server received a message with a
zero-length payload, would cause it to reference the payload from the
previous message, creating a loop in the message chain.  This would
later cause an infinite loop in a different part of the NFS server
code which tried to traverse the chain.

Certain Linux implementations of NFS produce zero-length RPC messages
in some cases.  A NetBSD system running an NFS server may lock up
when such clients connect.


Solutions and Workarounds
=========================

If possible, disable the NFS server on your machine.  It is
still preferable to apply the following fixes to prevent using
vulnerable NFS code in the future.

The recent NetBSD 1.6 release is not vulnerable to this issue. A full
upgrade to NetBSD 1.6 is the recommended resolution for all users able
to do so. Many security-related improvements have been made, and
indeed this release has been delayed several times in order to include
fixes for a number of recent issues.

The following instructions describe how to upgrade your kernel
by updating your source tree and rebuilding and
installing a new version of kernel.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2002-08-03
	should be upgraded to NetBSD-current dated 2002-08-03 or later.

	The following directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		sys/nfs

	To update from CVS:

		# cd src
		# cvs update -d -P sys/nfs

	Configure, compile, install and boot a new kernel according to
	the instructions at:
	    http://www.netbsd.org/Documentation/kernel/#building_a_kernel 


* NetBSD 1.6 beta:

	Systems running NetBSD 1.6 BETAs and Release Candidates should
	be upgraded to the NetBSD 1.6 release.

	If a source-based point upgrade is required, sources from the
	NetBSD 1.6 branch dated 2002-08-03 or later should be used.

	The following directories need to be updated from the
	netbsd-1-6 CVS branch:
		sys/nfs

	To update from CVS:
		# cd src
		# cvs update -d -P -r netbsd-1-6 sys/nfs

	Configure, compile, install and boot a new kernel according to
	the instructions at:
	    http://www.netbsd.org/Documentation/kernel/#building_a_kernel 


* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:

	Systems running NetBSD 1.5 sources dated from before
	2002-09-05 should be upgraded from NetBSD 1.5 sources dated
	2002-09-05 or later.

	The following directories need to be updated from the
	netbsd-1-5 CVS branch:
		sys/nfs

	To update from CVS:
		# cd src
		# cvs update -d -P -r netbsd-1-5 sys/nfs

	Configure, compile, install and boot a new kernel according to
	the instructions at:
	    http://www.netbsd.org/Documentation/kernel/#building_a_kernel 


* NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3:

	The advisory will be updated with instructions to fix the problem
	for 1.5-based systems.


Thanks To
=========

FreeBSD security officers.  The advisory text is based on their advisory.

The NetBSD Release Engineering teams, for great patience and
assistance in dealing with repeated security issues discovered
recently.


Revision History
================

	2002-09-16	Initial release


More Information
================

An up-to-date PGP signed copy of this release will be maintained at
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-013.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2002, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2002-013.txt,v 1.7 2002/09/16 05:17:55 dan Exp $


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBPYVqUD5Ru2/4N2IFAQF7VwP9HAw6DGiJI3TmxGeVR/7fNquzCXI6QtSJ
evofRBhcsSSNGuTYn9R8KVHdn+f7n8fdc2b3huQ6UCLr3epAgRg6eeCDX8O60fpG
DvKUABOJXx1LoUEkGsNGdTizxg3uoD/2GLCvDLhZZiZ4k9srZRRzFT3neyWWdFln
EFbs33wT+40=
=78tO
-----END PGP SIGNATURE-----