10% of NFS Servers Misconfigured

Monday, June 6, 2016 @ 03:06 PM gHale


By not updating and using older versions of the Network File System (NFS) protocol for data storage servers, system administrators are exposing private or sensitive files to the Internet.

NFS is the computer protocol that describes procedures on how to connect and access files via a network connection, usually on port 111 or 2049.

RELATED STORIES
Password Manager Vulnerability
TFTP Protocol Allows DDoS Attacks
Ransomware Adds DDoS Capabilities
Stealthy Malware Goes to Extreme

The protocol mainly sees use in enterprise environments where administrators enable central data storage files and allow employees to access it via NFS.

Misconfigurations in these servers, such as using insecure NFSv3 version over the NFSv4, or by leaving the server accessible via the Internet, can present big problems.

Security provider, Fortinet, said a quick scan using Shodan yielded tens of thousands of servers exposed via their NFS port. In addition, 10.6 percent (about one in ten) of all NFS servers were accessible without a password.

The problem lies with using NFSv3, an outdated version of the protocol. For its latest release, NFSv4, the protocol has been modified to use Kerberos to provide a basic level of authentication, but there are still plenty of admins running the older version.

Fortinet’s Tien Phan said in the process of researching the issue he sometimes accessed the vulnerable servers and found all kinds of sensitive information. The list includes server logs, server backups, the source code of various websites, and server image files.

Most of these exposed servers were the U.S. (18,843 servers), China (11,608), France (10,744), Germany (7,188), and Russia (5,269).

Companies should issue a set of mitigation techniques in order to avoid exposing sensitive files online, Phan said in a blog post.

Companies should first switch to the newer NFSv4 protocol that provides a basic level of authentication.

If upgrading is not technically possible, administrators should use firewalls to block access to the servers based on an internal list of IP addresses, known to originate from inside the company.