New Microsoft Windows NFS Remote Code Execution Vulnerability
Threat Level Description
Threat Level: High – An attack is highly likely. Additional and sustainable protective security measures reflecting the broad nature of the threat combined with specific business and geographical vulnerabilities and judgments on acceptable risk.
Description
We have observed that a new Remote Code Execution vulnerability in Microsoft Windows Servers, affecting the Network File System (NFS), has been identified.
A remote unauthenticated attacker, using a specially crafted call to the NFS service, could exploit this vulnerability in order to execute malicious code on the Microsoft Windows Server. This would result in breaching the confidentiality, integrity, and availability of the data hosted on the server.
This vulnerability is referred to as “CVE-2022-30136” and is based on a flaw in an unknown functionality of the Microsoft Windows Network File System (NFS).
Note that NFS versions 2.0 and 3.0 are not affected. Disabling NFS version 4.1 mitigates this flaw but could have adverse impacts, so organizations should carefully consider this temporary step before adopting it.
Furthermore, note that a CVE is reserved for this vulnerability but has not yet published.
CVE(s)
N/A
Affected Systems
- NFS version 4.1 on
- Microsoft Windows Server 2012
- Microsoft Windows Server 2012 R2
- Microsoft Windows Server 2016
- Microsoft Windows Server 2019
Recommendation(s)
You should immediately proceed and implement the relevant security patches (Microsoft June 2022 Monthly Patch) provided by the vendor.
You should understand the importance of security updates, and the urgency with which they should be applied, no matter how large or small your organization is. It is very important to apply an efficient patch management solution and always have enabled an active event security logging and practice event monitoring. To protect the valuable assets of your business and be compliant with the relevant industry regulations requires a comprehensive approach to the management of risk, including Penetration Testing at least annually and upon significant changes.
Workarounds:
This vulnerability is not exploitable in NFSV2.0 or NFSV3.0. Prior to updating your version of Windows that protects against this vulnerability, you can mitigate an attack by disabling NFSV4.1. This could adversely affect your ecosystem and should only be used as a temporary mitigation.
Warning: You should NOT apply this mitigation unless you have installed the May 2022 Windows security updates. Those updates address “CVE-2022-26937” which is a Critical vulnerability in NFSV2.0 and NFSV3.0.
The following PowerShell command will disable NFSV4.1 version:
PS C:Set-NfsServerConfiguration -EnableNFSV4 $false
After running the command, you will need to restart NFS server or reboot the machine.
To restart NFS server, start a cmd window with Run as Administrator, enter the following commands:
• nfsadmin server stop
• nfsadmin server start
To confirm that NFSv4.1 has been turned off, run the following command in a Powershell window:
PS C:Get-NfsServerConfiguration
To re-enable NFSv4.1 after you have installed the June 2022 security update, enter the following command:
Set-NfsServerConfiguration -EnableNFSV4 $True
Again, after running the command you will need to restart NFS server or reboot the machine.
References
