HPE Community
Operating System - HP-UX
1752624 Members
4270 Online
108788 Solutions
New Discussion юеВ

rpc.mountd vulnerabilites

 
Winnie Chiu
Occasional Contributor

тАО11-17-2000 05:48 AM

тАО11-17-2000 05:48 AM

rpc.mountd vulnerabilites

During a recent security audit at our site, two rpc.mountd vulberabilities were identified.

The first is that a user can identify what files are on a system by issueing mount -F commands. If the file exists, mount will return 'Permission denied'. If the file does not exist, the mount command returns 'No such files or directory error'. The return message needs to be consistant.

The second is that rpc.mountd does not run on a reserved port so is vulnerable to port hijacking. rpc.mountd ran on a reserved port by default until the latest version of rpc.mountd was released with patch PHNE_19620.

Are there fixes for these problems ?
0 Kudos
Reply
4 REPLIES 4
Alex Glennie
Honored Contributor

тАО11-17-2000 06:11 AM

тАО11-17-2000 06:11 AM

Re: rpc.mountd vulnerabilites

I would say yes for at least the first issue and probably to the second : take a look at the patch text for PHNE_22125 the most recent NFS patch, it certainly list defects which could fit the bill.

My advise is to install this, if there are genuine security issues still outstanding you would have to get an HP Response Centre to confirm these and gain a fix from the labs.
0 Kudos
Reply
Alex Glennie
Honored Contributor

тАО11-17-2000 06:21 AM

тАО11-17-2000 06:21 AM

Re: rpc.mountd vulnerabilites

checked against the Sun NFS standard and the Sun behaves the same. Yes,
behavior changed between 10.20 and 11.0 and 11.0 implements the current
standard. Unfortunately, the man page hasn't been updated yet, although there
already is a request into the lab to update it. However, the port rpc.mountd
uses is virtually irrelevant to security. The rpc.mountd -p option deals with
what ports incoming connections can use. Without -p the incoming connection may
be on an unreserved port. rpc.mountd's default is to accept reserved port
connections only. The port it works on, though, is distinct. Because 11.0
conforms with Sun's standard, this behavior will not change unless Sun changes.

0 Kudos
Reply
Alex Glennie
Honored Contributor

тАО11-17-2000 06:54 AM

тАО11-17-2000 06:54 AM

Re: rpc.mountd vulnerabilites

I see you've already logged a call in the UK and I've alerted them of the new patch info
0 Kudos
Reply
Alex Glennie
Honored Contributor

тАО11-20-2000 01:35 AM

тАО11-20-2000 01:35 AM

Re: rpc.mountd vulnerabilites

early tests at HP's Labs suggest this latest patch resolved the problem(s):

11.00 server "clever" PHNE_22125 not installed
# exportfs -ua
# mount clever:/tmp/blubber /mnt
No such file or directory <------------------ This is the bug
# touch /tmp/blubber /mnt
# mount clever:/tmp/blubber /mnt
Permission denied.


Now the same with PHNE_22125
# exportfs -ua
# mount clever:/tmp/blubber /mnt
Permission denied <------------------
# touch /tmp/blubber /mnt
# mount clever:/tmp/blubber /mnt
Permission denied.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.