A detailed report has been published regarding a Windows RCE vulnerability in the Network File System (NFS).
The lurking flaw
The vulnerability, tracked as CVE-2022-30136, was patched in June, however, the report provided more detailed information about potential exploitation.
- The flaw is contained within Windows NFS and occurs due to improper handling of NFSv4 requests.
- It could be abused by sending malicious RPC calls to a target server.
- Further, successful exploitation could result in arbitrary code execution as SYSTEM. On the other side, unsuccessful exploitation could even crash the system.
More insights
The NFS was built by Sun Microsystems in 1984. It allows users to access files remotely, in the same manner as local files, and supports Windows and non-windows file systems. The flaw existed in the Windows implementation.
- NFS uses Open Network Computing (ONC) Remote Procedure Call (RPC) to exchange control messages. The vulnerability occurs due to incorrect calculation of the size of response messages.
- The server calls a function to calculate the size of each opcode response, though it does not include the size of the opcode itself. Due to this, the response buffer becomes too small and an overflow may happen.
Possible solutions
CVE-2022-30136 has been patched, although the advisory suggests that a user has to install the fix for CVE-2022-26937 first. Moreover, the vulnerable function is only being used for NFS version 4. An attack could be stopped by just disabling NFSv4.1 as well.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/425d_shutterstock_1063957367.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/cc0d_shutterstock_1092579335.jpg)
