CVE-2013-20001 in OpenZFS
Summary
by MITRE • 02/13/2021
An issue was discovered in OpenZFS through 2.0.3. When an NFS share is exported to IPv6 addresses via the sharenfs feature, there is a silent failure to parse the IPv6 address data, and access is allowed to everyone. IPv6 restrictions from the configuration are not applied.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 11/03/2025
The vulnerability identified as CVE-2013-20001 affects OpenZFS versions through 2.0.3 and represents a critical authorization flaw in the NFS sharing implementation. This issue specifically manifests when NFS shares are exported to IPv6 addresses using the sharenfs feature, creating a security bypass condition where IPv6 address parsing fails silently without proper validation. The flaw operates at the network access control layer where the system fails to properly interpret IPv6 address data, resulting in unintended unrestricted access to shared resources.
The technical implementation of this vulnerability stems from inadequate input validation within the NFS export parsing mechanism. When IPv6 addresses are processed through the sharenfs feature, the system encounters a parsing failure that occurs silently in the background without generating error messages or logging failures. This silent failure creates a dangerous default state where access controls are bypassed entirely, allowing any client to access the exported NFS shares regardless of the configured IPv6 restrictions. The vulnerability demonstrates a classic security by design flaw where the system defaults to permissive access rather than restrictive access when encountering parsing errors.
The operational impact of this vulnerability extends beyond simple unauthorized access to encompass potential data exposure and system compromise. Since IPv6 restrictions are not applied due to the silent parsing failure, attackers can exploit this weakness to gain access to sensitive data stored on ZFS filesystems through NFS shares. The vulnerability affects organizations that rely on IPv6 networking and NFS sharing, particularly those implementing network access controls based on IPv6 address ranges. This weakness can be exploited by remote attackers without requiring authentication credentials, making it particularly dangerous in environments where NFS shares are exposed to untrusted networks.
Security mitigations for this vulnerability require immediate patching of OpenZFS installations to versions that address the IPv6 parsing issue. Organizations should implement network segmentation and firewall rules to restrict NFS access at the network level until the underlying vulnerability is resolved. The implementation of additional monitoring and logging for NFS access attempts can help detect exploitation attempts, while regular security audits should verify that IPv6 restrictions are properly enforced. This vulnerability aligns with CWE-284 Access Control Issues and demonstrates characteristics similar to ATT&CK technique T1071.004 Application Layer Protocol: DNS, where protocol parsing failures create unauthorized access conditions. The remediation process should include thorough testing of NFS configurations to ensure proper IPv6 address handling and validation, with particular attention to systems that rely on IPv6 networking for secure access controls.