Windows Network File System Remote Code Execution Vulnerability

NFS (Network File System) vulnerability description

Name
Microsoft Windows Network File System Remote Code Execution Vulnerability

Severity
critical

CVE
CVE-2023-24941

Description
Microsoft Windows Network File System is vulnerable to a remote code execution vulnerability when parsing certain crafted NFS requests. The vulnerability is due to a lack of proper inspection of NFS requests, resulting in an exploitable remote code execution vulnerability. An attacker could exploit this vulnerability by sending a crafted NFS request. A successful attack could result in remote code execution with the server's privileges.

Reference
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2023-24941

How could an attacker exploit this vulnerability?

This vulnerability can be exploited over the network by making a specially crafted unauthenticated call to the Network File System (NFS) service to trigger remote code execution (RCE).

How dangerous is the vulnerability?

Confidentiality-high

Confidentiality is completely lost, causing all resources within the affected component to be exposed to the attacker. Or, gain access to only some restricted information, but the disclosure of the information would have immediate, serious consequences.

Authenticity-high

There is a total loss of integrity, or a total loss of protection. For example, an attacker could modify any/all files protected by the affected component. Or, only some files can be modified, but malicious modifications will have direct and serious consequences for the affected components.

Availability-high

A complete loss of availability that results in the attacker being able to completely deny access to resources in the affected component; this loss is persistent: it persists when the attacker continues the attack and even after the attack is complete. Alternatively, the attacker has the ability to deny certain availability, but the loss of availability has direct, severe consequences for the affected components (e.g., the attacker cannot destroy existing connections, but can prevent new connections; the attacker can reuse The vulnerability only leaks a small amount of memory with each successful attack, but repeated use will cause the service to be completely unavailable).

How to reduce the risk of vulnerabilities

This vulnerability cannot be exploited in NFSV2.0 or NFSV3.0. Until a system patch updates Windows versions that prevent this vulnerability, you can mitigate the attack by disabling NFSV4.1.

The following PowerShell command will disable these versions:

PS C:\Set-NfsServerConfiguration -EnableNFSV4 $false

After running this command, you need to restart the NFS server or restart the computer.
To restart the NFS server, launch a cmd window using "Run as administrator" and enter the following command:

To see if NFSv4.1 is down, run the following command in a Powershell window:

PS C:\Get-NfsServerConfiguration

PS C:\Users\Administrator> Get-NfsServerConfiguration


State                            : Running
LogActivity                      :
CharacterTranslationFile         : Not Configured
DirectoryCacheSize (KB)          : 128
HideFilesBeginningInDot          : Disabled
EnableNFSV2                      : True
EnableNFSV3                      : True
EnableNFSV4                      : False
EnableAuthenticationRenewal      : True
AuthenticationRenewalIntervalSec : 600
NlmGracePeriodSec                : 45
MountProtocol                    : {
    
    TCP, UDP}
NfsProtocol                      : {
    
    TCP, UDP}
NisProtocol                      : {
    
    TCP, UDP}
NlmProtocol                      : {
    
    TCP, UDP}
NsmProtocol                      : {
    
    TCP, UDP}
PortmapProtocol                  : {
    
    TCP, UDP}
MapServerProtocol                : {
    
    TCP, UDP}
PreserveInheritance              : False
NetgroupCacheTimeoutSec          : 30
UnmappedUserAccount              :
WorldAccount                     : Everyone
AlwaysOpenByName                 : False
GracePeriodSec                   : 240
LeasePeriodSec                   : 120
OnlineTimeoutSec                 : 180

PS C:\Users\Administrator>

EnableNFSV4 : False is turned off.

To re-enable NFSv4.1 after installing security updates, enter the following command:

Set-NfsServerConfiguration -EnableNFSV4 $True

Likewise, after running the command, you need to restart the NFS server or reboot the computer.

Currently, there is a patch update for this vulnerability that can fix the vulnerability. Please pay attention to regular patch updates at any time.

recommended reading

Microsoft Message Queuing Denial-of-Service Vulnerability
Microsoft Message Queuing Remote Code Execution Vulnerability
How small businesses can simply and effectively prevent network attack threats
Server vulnerability repair-check and close the SMBv1 protocol that spreads ransomware
Popularization of security knowledge: How to keep your computer safe online, Worry-free Surfing
OT Network Security - What measures should be taken for OT client security protection
? Popularization of security knowledge: Remote working, 5 rules that employees must abide by
Phishing attacks: Similar domain name identification and how to effectively prevent attacks