On Wed, 2013-08-07 at 14:04 -0400, Trond Myklebust wrote:
> On Wed, 2013-08-07 at 18:01 +0000, Adamson, Andy wrote:
> >
> > Here is the attack as described in 3530bis Security Considerations
> > section:
> >
> >
> > The second operation that should definitely use integrity protection
> > is any GETATTR for the fs_locations attribute. The attack has two
> > steps. First the attacker modifies the unprotected results of some
> > operation to return NFS4ERR_MOVED. Second, when the client follows
> > up with a GETATTR for the fs_locations attribute, the attacker
> > modifies the results to cause the client migrate its traffic to a
> > server controlled by the attacker.
>
> You can the exact same thing by changing the READLINK results.
The attack is: change the unprotected LOOKUP results to point to a
symlink, then feed '/net/<evil-ip-address>/my/evil/pathname' into
READLINK.
My point is that if you're on a network where the above is a potential
threat, then you should be using krb5i or, better yet, krb5p for _all_
operations. It's not sufficient to single out fs_locations for special
treatment.
--
Trond Myklebust
Linux NFS client maintainer
NetApp
Trond.Myklebust@xxxxxxxxxx
www.netapp.com
��.n��������+%�������w��{.n�����{��w����jg���������ݢj�����G��������j:+v���w�m������w�������h�����٥
