Bug 1918179 (CVE-2021-3178) - CVE-2021-3178 kernel: path traversal in fs/nfsd/nfs3xdr.c may lead to Information Disclosure or RCE
Summary: CVE-2021-3178 kernel: path traversal in fs/nfsd/nfs3xdr.c may lead to Informa...
Status: NEW
Alias: CVE-2021-3178
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Nobody
QA Contact:
Depends On: 1918181 1920068 1920069 1920433 1920434 1925957
Blocks: 1918182
TreeView+ depends on / blocked
Reported: 2021-01-20 08:53 UTC by Marian Rehak
Modified: 2023-09-20 14:31 UTC (History)
37 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw leak of the file handle for parent directory in the Linux kernel's NFS3 functionality was found in the way user calls READDIRPLUS. A local user could use this flaw to traverse to other parts of the file-system than mounted sub-folder.
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Marian Rehak 2021-01-20 08:53:37 UTC
fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8, when there is an NFS export of a subdirectory of a filesystem, allows remote attackers to traverse to other parts of the filesystem via READDIRPLUS.



Comment 1 Marian Rehak 2021-01-20 08:54:21 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1918181]

Comment 4 Alex 2021-01-20 19:10:13 UTC

When export subdirectory of a filesystem, enable subtree_check option of the NFS server for preventing possibility of accessing outside of this export.

Comment 10 Petr Matousek 2021-02-04 12:52:25 UTC

This flaw is rated as having Moderate impact because of the attack limitation: the user can gain more access than expected only inside NFS root mount point if already have permissions for the access to this NFS sub-folder.

Also this is a known limitation of NFSv3 and there is a known and documented configuration option to avoid this. As such, this is more of an hardening rather than security issue.

Note You need to log in before you can comment on or make changes to this bug.