From owner-freebsd-security@FreeBSD.ORG Wed Mar 1 16:18:41 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 87C9116A420 for ; Wed, 1 Mar 2006 16:18:41 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd5mo2so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id A995E43D8A for ; Wed, 1 Mar 2006 16:18:40 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd3mr8so.prod.shaw.ca (pd3mr8so-qfe3.prod.shaw.ca [10.0.141.24]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IVG009XJIN34MC0@l-daemon> for freebsd-security@freebsd.org; Wed, 01 Mar 2006 09:18:39 -0700 (MST) Received: from pn2ml7so.prod.shaw.ca ([10.0.121.151]) by pd3mr8so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IVG00JSEIN3YC40@pd3mr8so.prod.shaw.ca> for freebsd-security@freebsd.org; Wed, 01 Mar 2006 09:18:39 -0700 (MST) Received: from [192.168.0.60] ([24.82.18.31]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IVG005WAIN28NW0@l-daemon> for freebsd-security@freebsd.org; Wed, 01 Mar 2006 09:18:39 -0700 (MST) Date: Wed, 01 Mar 2006 08:18:27 -0800 From: Colin Percival In-reply-to: <200603011502.k21F26v5062428@freefall.freebsd.org> To: freebsd-security@freebsd.org Message-id: <4405C953.80005@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Enigmail-Version: 0.94.0.0 References: <200603011502.k21F26v5062428@freefall.freebsd.org> User-Agent: Thunderbird 1.5 (X11/20060112) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-06:10.nfs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Mar 2006 16:18:41 -0000 FreeBSD Security Advisories wrote: > Topic: Remote denial of service in NFS server > [...] > IV. Workaround > > 1) Disable the NFS server: set the nfs_server_enable variable to "NO" > in /etc/rc.conf, and reboot. > > Alternatively, if there are no active NFS clients (as listed by the > showmount(8) utility), simply killing the mountd and nfsd processes > should suffice. > > 2) Add firewall rules to block RPC traffic to the NFS server from > untrusted hosts. There's one more workaround: Since this problem only affects RPC messages incoming via TCP, disabling the use of TCP with NFS will correct this while still allowing NFS to run over UDP. To disable use of TCP for NFS, remove the "-t" flag from nfs_server_flags in /etc/rc.conf and reboot. Colin Percival