Skip to main content
Delphix

NFS Exported Filesystems List Vulnerability Reported for Delphix Continuous Data Platform (KBA9363)

  1. Last updated
  2. Save as PDF
 

 

KBA

KBA# 9363

 

Issue

In the process of security auditing or scanning, an "NFS Exported Filesystems List Vulnerability" may be reported for the Delphix Continuous Data platform. This article is intended to speak to this concern.

The finding may be reported by various network security tools such as Qualys, QID 66002, and may read as follows:

NFS Exported Filesystems List Vulnerability

If the NFS server is not required on this system, then shutdown and disable the mountd and nfsd RPC services.

If the NFS server is required on this system, then the solution is not as simple. Since the server's clients need to be able to access the export list, this service cannot be shutdown.  Access can be restricted to hosts on the local network or hosts that are authorized clients of this server. Use either a packet filter at the system level (local packet filter) or a centralized packet filter on the firewall. Note, however, that using a firewall in front of your network will not secure the service itself, but will limit the risk to internal attacks.”

Applicable Delphix Versions

Click here to view the versions of the Delphix engine to which this article applies
Major Release All Sub Releases
6.0

6.0.0.0, 6.0.1.0, 6.0.1.1, 6.0.2.0, 6.0.2.1, 6.0.3.0, 6.0.3.1, 6.0.4.0, 6.0.4.1, 6.0.4.2, 6.0.5.0, 6.0.6.0, 6.0.6.1, 6.0.7.0, 6.0.8.0, 6.0.8.1, 6.0.9.0, 6.0.10.0, 6.0.10.1, 6.0.11.0, 6.0.12.0, 6.0.12.1, 6.0.13.0, 6.0.13.1, 6.0.14.0, 6.0.15.0

5.3

 5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.1.2, 5.3.2.0, 5.3.3.0, 5.3.3.1, 5.3.4.0, 5.3.5.0, 5.3.6.0, 5.3.7.0, 5.3.7.1, 5.3.8.0, 5.3.8.1, 5.3.9.0

5.2

5.2.2.0, 5.2.2.1, 5.2.3.0, 5.2.4.0, 5.2.5.0, 5.2.5.1, 5.2.6.0, 5.2.6.1

5.1

5.1.0.0, 5.1.1.0, 5.1.2.0, 5.1.3.0, 5.1.4.0, 5.1.5.0, 5.1.5.1, 5.1.6.0, 5.1.7.0, 5.1.8.0, 5.1.8.1, 5.1.9.0, 5.1.10.0

5.0

5.0.1.0, 5.0.1.1, 5.0.2.0, 5.0.2.1, 5.0.2.2, 5.0.2.3, 5.0.3.0, 5.0.3.1, 5.0.4.0, 5.0.4.1, 5.0.5.0, 5.0.5.1, 5.0.5.2, 5.0.5.3, 5.0.5.4

NFS Security and Delphix

This finding is ultimately expected, and should not generally be considered a concern.

The Delphix DevOps Data Platform leverages NFS (v3 or v4) filesystem shares for Virtualization activities on Linux or Unix hosts, including virtual database provisioning and data ingestion (depending on the database or appdata platform).  

Filesystems shared from Delphix are secured with an IP address restriction; share permissions are limited to only the intended host, based on one of two values:

1. IP address used in the Environment configuration for discovery. If hostname or FQDN is used, the Engine will resolve the IP address and use this for access restriction.

2. NFS Addresses configured for the Environment. This is an optional configuration parameter for all Linux / Unix hosts to allow access to multiple IP addresses from a given host. This feature may be leveraged for those hosts with multiple network interfaces that can reach the Delphix Engine.

These NFS filesystems are mounted and shared dynamically based on the Dataset state; if a given Dataset is disabled, the NFS shares are removed.

Beyond this, there is one additional NFS share /public, which is used in our automation for Environment Validation. During a Dataset provision operation, the Engine will execute a test mount of this /public share temporarily to ensure the OS user configured has the proper permissions to mount NFS filesystems before attempting to actually provision the Dataset.  

This /public NFS filesystem is read-only, and empty, but is not IP address restricted.

Qualys QID 66002 also expresses a possible concern in the exposure of NFSv3 mounts, visible (not necessarily accessible) from a remote host, and that may be perceived as a vulnerability.  If this is a specific function of concern, the DevOps Data Platform NFSv4 feature should be leveraged.  

Beginning in 7.0, if no NFSv3 mounts are active from the DevOps Data Platform, NFSv3 services will be stopped on the Engine, and showmount requests will not return any result, thereby removing the finding from the security scanner.

Note

Note:

Delphix DevOps Data Platform 6.0.16.0 no longer exports /public without IP restrictions. Please see How to Test NFS Mounting from Target Hosts (KBA5873) for further details

 

Delphix does not leverage the /etc/exports function offered in many Linux / Unix NFS platforms; the share permissions are handled dynamically.

Beyond the solutions mentioned here and changes in the DevOps Data Platform, Network Security teams have other options available as mentioned in the Qualys report, to apply a firewall or packet filtering, though these can introduce latency.

 

Related Articles

The following articles may provide more information or related information to this article:

 

Privacy Policy Terms of Use Legal About
© 2024 Delphix Corp