NetWare XNFS security updates - Nov 2011

abstract

This download (xnfs8d.zip) contains an updated XNFS.NLM to correct security vulnerabilities in NetWare NFS related services. It also fixes a possible abend triggered by certain lock requests.  Older fixes (including previous security fixes) which were present in xnfs8c.zip are also included.

Since NFS is loaded on all default NetWare 6.5 systems, it is recommended that this update be placed on all NetWare systems. However, if NFS (aka Native File Access for Unix) is not needed, it is also possible to avoid this vulnerability by remarking out NFSSTART.NCF from AUTOEXEC.NCF and rebooting.

details

System Requirements:

This update is designed to be used on top of NetWare 6.5 SP8. It is expected that this can be used on top of NetWare 6.5 SP6 and SP7 as well, but this has not been tested.


Installation:

1. Rename (or save elsewhere) the existing SYS:SYSTEM\XNFS.NLM and SYS:SYSTEM\PKERNEL.NLM.

2. Copy the enclosed XNFS.NLM and PKERNEL.NLM to SYS:SYSTEM.

3. There are a number of modules that may need to be unloaded to get the new modules into effect. A reboot is the simplest way to accomplish this. However, if a reboot is not desired, the following can be executed at the system console:

UNLOAD NWFTPD #(if NetWare FTP is installed).
GYSTOP #(if NFS Gateway is installed).
NFSSTOP.
UNLOAD PKERNEL #(it may already have been unloaded by this point).
NFSSTART.
GYSTART #(if NFS Gateway needs to be loaded).
FTPSTART #(if NetWare FTP needs to be loaded).

Uninstalling:

To uninstall, delete the new SYS:SYSTEM\XNFS.NLM and PKERNEL.NLM and put back the copies that were saved in Installation step #1. Then perform Installation step #3.

Technical Support Information:

Fix for Bugzilla 702491:  Security vulnerability in XNFS.NLM xdrDecodeString.  See Security Fix section below for more details.

Fix for Bugzilla 671020:  Abend upon certain requests to LOCKD

Fixes carried over from previous patch build xnfs8c.zip:

Fix for Bugzilla 639926 - XNFS.NLM potential stack buffer overflow in RPC services (NFS Server, Mount Daemon, Lock Daemon, Stat Daemon). See Security Fix section below for more details.

Fix for Bugzilla 578012 - XNFS high utilization in RPC worker threads.

Fix for Bugzilla 511420 - XNFS can't mv a file to another directory, even when adequate permissions exist.

Fix for Bugzilla 515804 - PKERNEL potential stack buffer overflow in RPC CALLIT function. See Security Fix section below for more details.

security fixes

New security fix provided in this download (xnfs8d.zip):

Bugzilla 671020, CVE-2011-4191

This vulnerability allows XNFS.NLM's stack buffer to be exceeded by certain oversized incoming packets, when the information sent is processed by XNFS's xdrDecodeString function.  This potentially results in processor faults, abends, or execution of arbitary code (for example, due to corrupted code pointers in the stack).  Authentication is not required to exploit this vulnerability.  A remote attacker can exploit this vulnerability to alter the process's instruction pointer, or to abend XNFS processes. After 3 of these abends, NFS services become unresponsive.

This vulnerability was discovered by Francis Provencher for Protek Research Labs, reported through TippingPoint's Zero Day Initiative.  ZDI-CAN-1206, ZDI-CAN-1268, ZDI-CAN-1269.

Security fixes carried over from previous patch xnfs8c.zip:

Bugzilla 639926, CVE-2010-4227

This vulnerability allows XNFS.NLM's stack buffer to be exceeded by certain oversized incoming packets, potentially resulting in processor faults, abends, or execution of arbitrary code (for example, due to corrupted code pointers in the stack). Authentication is not required to exploit this vulnerability. A remote attacker can exploit this vulnerability to alter the process's instruction pointer, or to abend XNFS processes. After 3 of these abends, NFS services become unresponsive.

This vulnerability was discovered by Francis Provencher for Protek Research Labs, reported through TippingPoint's Zero Day Initiative. ZDI-CAN-876.

Bugzilla 515804

This vulnerability allows PKERNEL.NLM's stack buffer to be exceeded, potentially resulting in processor faults, abends, or execution of arbitrary code (for example, due to corrupted code pointers in the stack). Authentication is not required to exploit this vulnerability.

The specific flaw exists within the processing of CALLIT RPC calls. The vulnerable daemon explicitly trusts a length field when receiving data which is later copied into a stack buffer, potentially resulting in a stack overflow.

The specific code containing the vulnerability is the implementation of the CALLIT RPC call located in PKERNEL.NLM.

This vulnerability was discovered by Nick DeBaggis working with TippingPoint's Zero Day Initiative. ZDI-CAN-497.