FreeBSD up to 9.1 NFS nfs_nfsdport.c nfsrvd_readdir input validation
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 9.5 | $0-$5k | 0.00 |
Summary
A vulnerability has been found in FreeBSD up to 9.1 and classified as critical. Affected by this vulnerability is the function nfsrvd_readdir of the file sys/fs/nfsserver/nfs_nfsdport.c of the component NFS. The manipulation leads to input validation.
This vulnerability is known as CVE-2013-3266. There is no exploit available.
It is recommended to upgrade the affected component.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Details
A vulnerability, which was classified as very critical, was found in FreeBSD up to 9.1 (Operating System). Affected is the function nfsrvd_readdir of the file sys/fs/nfsserver/nfs_nfsdport.c of the component NFS. The manipulation with an unknown input leads to a input validation vulnerability. CWE is classifying the issue as CWE-20. The product receives input or data, but it does
not validate or incorrectly validates that the input has the
properties that are required to process the data safely and
correctly. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:
The nfsrvd_readdir function in sys/fs/nfsserver/nfs_nfsdport.c in the new NFS server in FreeBSD 8.0 through 9.1-RELEASE-p3 does not verify that a READDIR request is for a directory node, which allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code by specifying a plain file instead of a directory.
The weakness was published 04/29/2013 by Adam Nowacki (Website). The advisory is shared for download at freebsd.org. This vulnerability is traded as CVE-2013-3266 since 04/23/2013. The exploitability is told to be easy. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. There are known technical details, but no exploit is available. The current price for an exploit might be approx. USD $0-$5k (estimation calculated on 05/10/2021).
The vulnerability scanner Nessus provides a plugin with the ID 66548 (Debian DSA-2672-1 : kfreebsd-9 - interpretation conflict), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Debian Local Security Checks.
Upgrading to version 8.4-PRERELEASE or 9.1-STABLE eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability. Furthermore it is possible to detect and prevent this kind of attack with TippingPoint and the filter 13148.
The vulnerability is also documented in the databases at Tenable (66548), SecurityFocus (BID 59585†), OSVDB (92886†), Secunia (SA53241†) and Vulnerability Center (SBV-39393†). VulDB is the best source for vulnerability data and more expert information about this specific topic.
Product
Type
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 10.0VulDB Meta Temp Score: 9.5
VulDB Base Score: 10.0
VulDB Temp Score: 9.5
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Input validationCWE: CWE-20
CAPEC: 🔍
ATT&CK: 🔍
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | unlock | unlock | unlock | unlock |
|---|---|---|---|---|
| Today | unlock | unlock | unlock | unlock |
Nessus ID: 66548
Nessus Name: Debian DSA-2672-1 : kfreebsd-9 - interpretation conflict
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Port: 🔍
OpenVAS ID: 892785
OpenVAS Name: Debian Security Advisory DSA 2672-1 (kfreebsd-9 - interpretation conflict
OpenVAS File: 🔍
OpenVAS Family: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Upgrade: FreeBSD 8.4-PRERELEASE/9.1-STABLE
TippingPoint: 🔍
McAfee IPS: 🔍
McAfee IPS Version: 🔍
ISS Proventia IPS: 🔍
Fortigate IPS: 🔍
Timeline
04/23/2013 🔍04/29/2013 🔍
04/29/2013 🔍
04/29/2013 🔍
05/01/2013 🔍
05/01/2013 🔍
05/02/2013 🔍
05/06/2013 🔍
05/23/2013 🔍
05/10/2021 🔍
Sources
Product: freebsd.orgAdvisory: freebsd.org
Researcher: Adam Nowacki
Status: Not defined
CVE: CVE-2013-3266 (🔍)
GCVE (CVE): GCVE-0-2013-3266
GCVE (VulDB): GCVE-100-8580
OVAL: 🔍
SecurityFocus: 59585 - FreeBSD NFS Server CVE-2013-3266 Memory Corruption Vulnerability
Secunia: 53241 - FreeBSD NFS Server READDIR Request Processing Security Issue, Less Critical
OSVDB: 92886
SecurityTracker: 1028491
Vulnerability Center: 39393 - FreeBSD NFS Server 8.x Remote File System Read/Write and DoS Vulnerability via READDIR Request, High
Entry
Created: 05/06/2013 03:09 PMUpdated: 05/10/2021 01:16 PM
Changes: 05/06/2013 03:09 PM (79), 04/28/2017 10:07 AM (6), 05/10/2021 01:10 PM (3), 05/10/2021 01:16 PM (1)
Complete: 🔍
Committer: roga
Cache ID: 18:506:40
No comments yet. Languages: en.
Please log in to comment.