Quick Summary
NFS Share Exported Without Authentication is a network service misconfiguration where a Network File System (NFS) share is exported without proper authentication or access restrictions. This may allow unauthorized users to mount the share, access sensitive files, modify data, or upload malicious content.
Vulnerability Classification
| Field | Value |
|---|---|
| Vulnerability Type | NFS Access Control Misconfiguration |
| CWE ID | CWE-284 – Improper Access Control |
| CVE ID | N/A (Configuration Issue) |
| CVSS 4.0 Base Score | 8.4 (High) |
| CVSS Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H |
| OWASP Category | A05:2021 – Security Misconfiguration |
| Attack Surface | Internal / External Network |
Affected Asset / Environment
- Service: Network File System (NFS)
- Default Ports: 2049 (NFS), 111 (RPCBind)
- Platforms: Linux, Unix Servers
- Testing Method: Internal / Black-box Network Assessment
- Tools Used: Nmap, showmount, mount
Description
The assessor observed that the NFS service running on the target system exports one or more file shares without enforcing authentication or IP-based access restrictions. During testing, it was possible to enumerate and mount the exported share without providing valid credentials.
NFS is commonly used for file sharing between trusted systems. However, when improperly configured, any system with network access may mount the share and access stored files.
Depending on the export configuration, attackers may be able to read, modify, or delete files. In certain scenarios, improper root squashing settings may allow privilege escalation.
Root Cause
The issue occurs due to insecure NFS export configuration.
Common root causes include:
- Wildcard IP access in
/etc/exports(e.g.,*) - No authentication enforcement
- Root squash disabled
- Failure to restrict access to trusted hosts
- Lack of network segmentation
Business Impact
Exploitation of this vulnerability may allow unauthorized access to sensitive files, backups, configuration data, or application resources. If write access is permitted, attackers may modify or delete files, resulting in data corruption or service disruption.
In production environments, exposure of NFS shares may lead to data leakage, ransomware deployment, or lateral movement within the network.
Technical Impact
An attacker can:
- Enumerate exported NFS shares
- Mount the share locally
- Browse directory contents
- Download sensitive files
- Upload malicious files
- Modify or delete critical data
If root squash is disabled, attackers may escalate privileges within the mounted file system.
Proof of Concept (PoC)
Step1: Identify NFS Service
nmap -sV -p 2049,111 <target-ip>
If ports 2049 or 111 are open, proceed with enumeration.
Step2: Enumerate Exported Shares
showmount -e <target-ip>
If exported directories are listed without authentication, the system is vulnerable.
Step3: Mount the NFS Share
mount -t nfs <target-ip>:/exported-directory /mnt
If mounting succeeds without authentication, unauthorized access is confirmed.
Step4: Verify Read Access
ls -la /mnt
If directory contents are visible, the share is exposed.
Step5: Test Write Access (If Permitted)
touch /mnt/testfile.txt
If file creation succeeds, write permissions are enabled, increasing severity.
Exploitation Prerequisites
- Network access to NFS ports (2049, 111)
- NFS service enabled
- Exported share configured without restriction
- No IP-based filtering
Remediation
It is recommended that NFS exports be restricted to authorized hosts only.
Recommended actions:
- Restrict
/etc/exportsto specific trusted IP addresses - Enable root squash to prevent privilege escalation
- Disable NFS if not required
- Implement firewall rules to restrict NFS access
- Use secure authentication mechanisms (Kerberos where applicable)
- Conduct periodic configuration audits
Detection and Monitoring
- Monitor NFS access logs
- Alert on unauthorized mount attempts
- Restrict NFS traffic via network segmentation
- Regularly review exported directories