AnsweredAssumed Answered

QID 68519 - RPC Mountd Information Disclosure Vulnerability

Question asked by George Johnson on Apr 25, 2019

We have a customer scan reporting this issue for an NFS v4 system, but according to the development team who supports this system, this is a v3 behavior issue.  They are recommending that the test include the following string;

" -o -vers=3".

 

Has anyone else seen this issue for an NFS v4 file system.

 

The full comment from the development team who supports NFS file system is the following:

------

It appears Qualysis is running on a client platform which is negotiating a NFS4.0 connection, and mistaking it for an NFSv3 (rpc.mountd) connection.

NFSv4 DOES NOT use the rpc.mountd protocol, which QID 68519 calls out specifically. If the NFSv4 server is enabled and Qualysis is using a modern linux client, Qualysis will mount NFSv4 due to linux clients' default behavior.

This is a source of misunderstanding for customers and is a false positive.

To fix this issue, we suggest qualysis specify the version of NFS they want to mount, in this case, NFS v3, which uses rpc.mountd.

NFSv4 does return FILE_NOT_FOUND (ENOENT). However, NFSv4 treats mount points much differently then NFSv3. NFSv4 uses a pseudo-filesystem where mount points are traversable. To change this behavior would be to break applications that use NFSv4.

------

Outcomes