NFS Exported Filesystems List Vulnerability Reported for Delphix Continuous Data Platform (KBA9363)
KBA
KBA# 9363
Issue
In the process of security auditing or scanning, an "NFS Exported Filesystems List Vulnerability" may be reported for the Continuous Data Engine. This article is intended to speak to this concern.
The finding may be reported by various network security tools such as Qualys, QID 66002, and may read as follows:
This system is running a Network File System (NFS) server that enables a remote host to access and share files and directories. The current configuration of this system gives both authorized and unauthorized users the list of exported disks and authorized hosts.
NFS Exported Filesystems List Vulnerability
If the NFS server is not required on this system, then shutdown and disable the mountd and nfsd RPC services.
If the NFS server is required on this system, then the solution is not as simple. Since the server's clients need to be able to access the export list, this service cannot be shutdown. Access can be restricted to hosts on the local network or hosts that are authorized clients of this server. Use either a packet filter at the system level (local packet filter) or a centralized packet filter on the firewall. Note, however, that using a firewall in front of your network will not secure the service itself, but will limit the risk to internal attacks.”
Applicable Delphix Versions
- Click here to view the versions of the Delphix engine to which this article applies
-
Major Release All Sub Releases 6.0 6.0.0.0, 6.0.1.0, 6.0.1.1, 6.0.2.0, 6.0.2.1, 6.0.3.0, 6.0.3.1, 6.0.4.0, 6.0.4.1, 6.0.4.2, 6.0.5.0, 6.0.6.0, 6.0.6.1, 6.0.7.0, 6.0.8.0, 6.0.8.1, 6.0.9.0, 6.0.10.0, 6.0.10.1, 6.0.11.0, 6.0.12.0, 6.0.12.1, 6.0.13.0, 6.0.13.1, 6.0.14.0, 6.0.15.0
5.3
5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.1.2, 5.3.2.0, 5.3.3.0, 5.3.3.1, 5.3.4.0, 5.3.5.0, 5.3.6.0, 5.3.7.0, 5.3.7.1, 5.3.8.0, 5.3.8.1, 5.3.9.0 5.2
5.2.2.0, 5.2.2.1, 5.2.3.0, 5.2.4.0, 5.2.5.0, 5.2.5.1, 5.2.6.0, 5.2.6.1
5.1
5.1.0.0, 5.1.1.0, 5.1.2.0, 5.1.3.0, 5.1.4.0, 5.1.5.0, 5.1.5.1, 5.1.6.0, 5.1.7.0, 5.1.8.0, 5.1.8.1, 5.1.9.0, 5.1.10.0
5.0
5.0.1.0, 5.0.1.1, 5.0.2.0, 5.0.2.1, 5.0.2.2, 5.0.2.3, 5.0.3.0, 5.0.3.1, 5.0.4.0, 5.0.4.1, 5.0.5.0, 5.0.5.1, 5.0.5.2, 5.0.5.3, 5.0.5.4
NFS Security and Delphix
This finding is ultimately expected depending on configuration, and may not be a concern.
The Delphix Continuous Data Engine leverages NFS (v3 or v4) filesystem shares for Virtualization activities on Linux or Unix hosts, including virtual database provisioning and data ingestion (depending on the database or appdata platform).
Filesystems shared from Delphix are secured with an IP address restriction; share permissions are limited to only the intended host, based on one of two values:
1. IP address used in the Environment configuration for discovery. If hostname or FQDN is used, the Engine will resolve the IP address and use this for access restriction.
2. NFS Addresses configured for the Environment. This is an optional configuration parameter for all Linux / Unix hosts to allow access to multiple IP addresses from a given host. This feature may be leveraged for those hosts with multiple network interfaces that can reach the Delphix Engine.
These NFS filesystems are mounted and shared dynamically based on the Dataset state; if a given Dataset is disabled, the NFS shares are removed.
Beyond this, there is one additional NFS share /public, which is used in our automation for Environment Validation. During a Dataset provision operation, the Engine will execute a test mount of this /public share temporarily to ensure the OS user configured has the proper permissions to mount NFS filesystems before attempting to actually provision the Dataset.
This /public NFS filesystem is read-only, and empty, but is not IP address restricted.
/public NFS filesystem is always available/shared in versions up to and including 6.0.15.0. In 6.0.16.0 and later, /public is only exposed during Environment Validation.
Qualys QID 66002 also expresses a possible concern in the exposure of NFSv3 mounts, visible (not necessarily accessible) from a remote host, and that may be perceived as a vulnerability. If this is a specific function of concern, the DevOps Data Platform NFSv4 feature should be leveraged.
Resolutions
Beginning in 7.0, if no NFSv3 mounts are active from the Continuous Data Engine, NFSv3 services will be stopped on the engine, and showmount requests will not return any result, thereby removing the finding from the security scanner.
Delphix does not leverage the /etc/exports function offered in many Linux / Unix NFS platforms; the share permissions are handled dynamically.
Beyond the solutions mentioned here and changes in the Continuous Data Engine, Network Security teams have other options available as mentioned in the Qualys report, to apply a firewall or packet filtering, though these can introduce latency.
In Delphix version 10.0.0.0 and later, an additional option is offered which explicitly disables all NFSv3 services on a Continuous Data Engine. However, this should be used with caution; if the Engine is using NFSv3 for any hosts where NFSv4 is unavailable due to missing requirements, the VDBs provisioned to those hosts will be unavailable.
The following documentation links provide details on enabilng NFSv4 and explicit disable of NFSv3 (via NFSv4 only setting).
https://cd.delphix.com/docs/latest/nfsv4-configuration
https://cd.delphix.com/docs/latest/cli-cookbook-setting-nfs-version
Related Articles
The following articles may provide more information or related information to this article:
- Delphix Documentation - Environment Attributes for Hosts with Oracle (NFS Addresses)
- Delphix Documentation - NFSv4 Configuration
- Delphix Documentation - CLI - Setting NFS version