TCP Опасный Передача файлов

Порт 2049 (NFS)

Узнайте о порте 2049 (NFS) - угрозы безопасности, уязвимости и применение. Найдите устройства с открытым портом 2049.

Краткая информация

Номер порта

2049

Протокол

TCP

Сервис

NFS

Имя IANA

NFS

Описание сервиса

Network File System (NFS) is a distributed file system protocol originally developed by Sun Microsystems in 1984. Port 2049/TCP is the standard port for NFS version 4 and later. Prior versions could utilize portmapper (ports 111/TCP and 111/UDP) to dynamically assign ports, but version 4 eliminated that dependency for easier firewall configuration. NFS enables users on client computers to access files over a network in a manner similar to how local storage is accessed. It provides a transparent mechanism for sharing files and directories across different operating systems. The NFS protocol allows a server to export a file system or directory to be accessed by clients. Clients mount the exported file system, enabling them to read, write, and manage files as if they were stored locally. The protocol operates at the application layer, relying on lower-level protocols like TCP or UDP for reliable data transmission. NFSv4 introduced stateful operations and compound requests to improve performance and simplify firewall traversal. It uses a client-server model, where the server hosts the shared resources and the client accesses them.

## Firewall Recommendations

It is generally recommended to restrict access to port 2049/TCP to only trusted networks or hosts. If NFS is not required, the service should be disabled. When NFS is necessary, implement strong authentication mechanisms like Kerberos to prevent unauthorized access. Ensure that exports are configured with the minimum necessary permissions and restrict access to specific IP addresses or networks. Keep the NFS server software up to date with the latest security patches to mitigate known vulnerabilities. Consider using a VPN to encrypt traffic between the NFS client and server, especially when transmitting sensitive data over untrusted networks. If possible, use NFSv4 with Kerberos authentication for enhanced security. Monitor NFS server logs for suspicious activity and consider using intrusion detection systems to detect and prevent potential attacks. Blocking port 2049 on the firewall is an effective way to prevent unauthorized external access to NFS shares, but it will also prevent legitimate clients from accessing the service.

Информация о безопасности

NFS, particularly when misconfigured or running older versions, presents several security risks. Historically, NFS relied heavily on trust relationships based on IP addresses or hostnames, making it vulnerable to IP spoofing and man-in-the-middle attacks. Incorrectly configured exports can allow unauthorized users to access sensitive data. Inadequate access controls or weak authentication mechanisms can enable attackers to gain unauthorized access to the shared file system, leading to data breaches, modification, or deletion. Furthermore, vulnerabilities in the NFS server software itself can be exploited to gain remote code execution. Because NFS allows access to files and directories, successful exploitation can lead to significant compromise of the server and potentially the entire network. Attackers often target NFS because it provides a direct path to sensitive data and system configurations. The complexity of NFS implementations can also lead to configuration errors that are easily exploitable.

Известные уязвимости

CVE	Название	Критичность	Описание
CVE-2023-4911	glibc 'LoongArch' vulnerability	High	A buffer overflow vulnerability in glibc's `__nss_hostname_digits_dots` function, triggered by a specially crafted hostname when using NFS, could lead to arbitrary code execution.
CVE-2017-15265	Linux Kernel NFSv4 ACL Bypass	Medium	The Linux kernel's NFSv4 implementation allows local users to bypass intended access restrictions by setting an ACL that grants them access, then immediately removing the ACL.
CVE-2017-9766	rpc.statd Denial of Service	Medium	rpc.statd is vulnerable to a denial of service when handling malformed RPC requests.
CVE-2016-7167	Linux Kernel NFS NULL Pointer Dereference	Medium	The Linux kernel's NFS implementation contains a NULL pointer dereference vulnerability that can lead to a denial of service.
CVE-2014-0132	Linux Kernel NFS Information Disclosure	Low	The Linux kernel's NFS implementation allows remote attackers to obtain sensitive information via a crafted RPC request.