Synology-SA-17:14 NFS

Publish Time: 2017-05-08 00:00:00 UTC+8

Last Updated: 2017-05-08 22:00:00 UTC+8

Severity
Moderate
Status
Resolved

Abstract

CVE-2017-7645 could allow remote attackers to perform a denial-of-service (DoS) attack on a vulnerable NFS server and cause a system hang or crash.

CVE-2017-7895 could allow remote attackers to read arbitrary memory from both kernel space and user space and leak sensitive information on the server.

Severity

Moderate

Affected

  • Products
    • DSM 6.1
    • DSM 6.0
  • Models
    • All Synology NAS models

Description

  • CVE-2017-7645
    The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel through 4.10.11 allows remote attackers to cause a denial of service (system crash) via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c.

  • CVE-2017-7895
    The NFSv2 and NFSv3 server implementations in the Linux kernel through 4.10.13 lack certain checks for the end of a buffer, which allows remote attackers to trigger pointer-arithmetic errors or possibly have unspecified other impact via crafted requests, related to fs/nfsd/nfs3xdr.c and fs/nfsd/nfsxdr.c.

Mitigation

  • Part 1: Create a rule to allow an IP range or subnet access to NFS service

    1. Under Firewall Profile, please select Edit Rules. s1-1
    2. On the top left corner, click Create to create a new firewall rule. s1-2
    3. Under Ports, please find Select from a list of built-in applications and click Select to choose an application. s1-3
    4. Find and check Mac/Linux file server and click OK.
    5. Under Source IP, please select Specific IP and click Select on the right. You can also select All if you would like to select all IP’s. s1-5
    6. Here you may specify an IP range or subnet that you would like to allow access to NFS service. In the example below, NFS access is only allowed for IP addresses between 192.168.1.90 and 192.168.1.99. Click OK once you have specified the IP address or subnet. s1-6
    7. Under Action, please select Allow to allow the specified IP addresses or subnet access to NFS. s1-7
    8. Once you’ve selected an action, you can click OK. You can now see that this setup will allow NFS access only for IP addresses from 192.168.1.90 to 192.168.1.99.

  • Part 2: Create a rule to deny NFS access to all other IP addresses

    1. Please repeat steps 1-4 above.
    2. Under Source IP, select All to include all IP addresses. s2-2
    3. Under Action, please select Deny to block all IP addresses or subnet access to NFS. Click OK when done. s2-3
  • After all the steps have been completed, you can see that all IP’s have been denied access to NFS service, except for IP’s ranging from 192.168.1.90 to 192.168.1.99. Please note that the rule of allowed IP’s must be specified before blocking all IP's.

Update Availability

Not available yet.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7645
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7895
http://seclists.org/oss-sec/2017/q2/195
http://seclists.org/oss-sec/2017/q2/196