by RSS Tien Phan  |  May 30, 2016  |  Filed in: Security Research
Network File System (NFS) is a distributed file system protocol that was originally developed by Sun Microsystem in 1984 that allows a user to access files across a computer network. It has been used widely to store and share data - data that are sometimes important or sensitive.

However, compared with the Server Message Block (SMB) protocol, NFSv3 doesn’t provide user-based authentication. Since version 4, NFS has been using Kerberos to improve authentication, but it has not been implemented widely. Most servers on the Internet that have been linked to data leakage have been shown to use NFSv3. Which means that IT administrators need to manually establish rules dictating which clients we can safely share data with based on their IP address. This process can be tedious and time consuming, but it is essential in order to establish data security protocols that will prevent sensitive or confidential data from being accessible from the Internet.

Using the data provided by website shodan.io, we did a study on the publicly open NFS servers of the Internet and the result is quite interesting. We found that 10% of NFS servers in the world, which contain thousands of Terabytes of data, are open for everyone to access. Some of the servers we identified contain confidential data such as email backups, server logs and web source code for active websites, among others:


Figure1. Global leakage.


In Singapore alone, 11.2% of NFS servers are open, while we found 5.8% and 14.3% of NFS servers to be open in Japan and Vietnam respectively:


Figure2. Singapore leakage.



Figure3. Japan leakage.




Figure4. Vietnam leakage.


Below is a heatmap of open NFS servers worldwide:


Figure5. Global heatmap


Wrap Up
Based on this study, we conclude that many users or companies are inadvertently exposing their backups, documents, and even source code on the Internet through poor NFS server configuration. This includes websites source codes that are accessible to anyone. This isn’t limited to just only read only access either, but in most cases write access is available as well.

In the case where a website’s “public_html” folder is publicly exposed, anyone could establish the highest levels privilege allowing them to access and control that server (e.g. using some *nix seuid techniques to gain root privilege).

Below are types of data that are typically shared via NFS:
  • Sharing Network Attached Storage (NAS).
  • Sharing website source code (possibly for load balancing)
  • Sharing the NFS to store backup.
  • Sharing the ISO image, tftpboot, for VM installations.

Because no user-based authentication is implemented in the NFSv3 protocol, which is deployed widely, administrators must ensure that the whitelist of authorized clients is properly configured. Likewise, administrators must be careful when using wildcards (*) in their whitelist, as some IPs in the same network (using the same hosting provider and the same ISP) can inadvertently match that wildcard whitelist.

On the other hand, if a user wants to share her or his data publicly, she or he must be careful to ensure that no personal data or backup is included along with the shared data files..

Recommendations
  • Switch to NFS version 4 and enable strong authentication using Kerberos.
  • If you're still using NFS version 3 or older, make sure your configuration only allows connections from your IP addresses.
  • Enable NFS application control signature (http://fortiguard.com/appcontrol/app-16303) on your main gateway to block all unexpected NFS connections from the outside.

-= FortiGuard Lion Team =-


by RSS Tien Phan  |  May 30, 2016  |  Filed in: Security Research