1918179 – (CVE-2021-3178) CVE-2021-3178 kernel: path traversal in fs/nfsd/nfs3xdr.c may lead to Information Disclosure or RCE

Bug 1918179 (CVE-2021-3178) - CVE-2021-3178 kernel: path traversal in fs/nfsd/nfs3xdr.c may lead to Information Disclosure or RCE

Summary: CVE-2021-3178 kernel: path traversal in fs/nfsd/nfs3xdr.c may lead to Informa...

Keywords:
Status:	NEW
Alias:	CVE-2021-3178
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1918181 1920068 1920069 1920433 1920434 1925957
Blocks:	1918182
TreeView+	depends on / blocked

Reported:	2021-01-20 08:53 UTC by Marian Rehak
Modified:	2023-09-20 14:31 UTC (History)
CC List:	37 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw leak of the file handle for parent directory in the Linux kernel's NFS3 functionality was found in the way user calls READDIRPLUS. A local user could use this flaw to traverse to other parts of the file-system than mounted sub-folder.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Marian Rehak 2021-01-20 08:53:37 UTC

fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8, when there is an NFS export of a subdirectory of a filesystem, allows remote attackers to traverse to other parts of the filesystem via READDIRPLUS.

Reference:

https://patchwork.kernel.org/project/linux-nfs/patch/20210111210129.GA11652@fieldses.org/

Comment 1 Marian Rehak 2021-01-20 08:54:21 UTC

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1918181]

Comment 4 Alex 2021-01-20 19:10:13 UTC

Mitigation:

When export subdirectory of a filesystem, enable subtree_check option of the NFS server for preventing possibility of accessing outside of this export.

Comment 10 Petr Matousek 2021-02-04 12:52:25 UTC

Statement:

This flaw is rated as having Moderate impact because of the attack limitation: the user can gain more access than expected only inside NFS root mount point if already have permissions for the access to this NFS sub-folder.

Also this is a known limitation of NFSv3 and there is a known and documented configuration option to avoid this. As such, this is more of an hardening rather than security issue.

Note You need to log in before you can comment on or make changes to this bug.

acaringi
adscvr
airlied
alciregi
bhu
blc
bmasney
chwhite
dramseur
dvlasenk
hdegoede
hkrzesin
itamar
jarodwilson
jeremy
jforbes
jhunter
jlelli
jonathan
josef
jshortt
jstancek
jwboyer
kcarcia
kernel-maint
kernel-mgr
lgoncalv
masami256
mchehab
mlangsdo
nmurray
ptalbert
qzhao
rvrbovsk
steved
walters
williams