Just in Time Bulletin: CVE-2022-30136 RCE in NFSv4
What is CVE-2022-30136?
CVE-2022-30136 is an unauthenticated remote command execution vulnerability that impacts Windows Server versions 2012, 2016, and 2019. The vulnerability is rooted in the Network File System (NFS). NFS is a distributed file system protocol that builds on the open network computing remote procedure call (ONC RPC) system. The protocol enables a remote client to access files on a server in a similar capacity to local storage. The vulnerability, detailed in an analysis by Trend Micro Vulnerability Research Service, is attributed to a miscalculation in the size of a response message, which can result in a response message than the allocated space, causing the buffer to overflow.
Successful exploitation by an unauthenticated remote attacker would result in remote command execution with SYSTEM privileges. Unsuccessful attempts would likely result in a system crash.
How bad is this?
Active exploitation today: Unknown
- Unauthenticated remote command execution
- Results in trivial remote command execution on vulnerable platforms
- Currently no public exploit, but a low level of complexity according to Microsoft
Who is affected by this?
Vulnerable applications have to satisfy a few non-standard requirements:
- Windows Server version 2012, 2016, and 2019 with NFSv4 enabled
At the time of publishing, no public exploit exists; however, there is a strong possibility active exploitation is imminent after a detailed public disclosure.
How is it exploited?
Exploitation can be accomplished with a crafted NFS message by an unauthenticated, remote attacker.
Am I at risk?
|Windows Server 2012 R2||KB5014738|
|Windows Server 2012||KB5014747|
|Windows Server 2016||KB5014702|
|Windows Server 2019||KB5014692|
How do I protect myself?
Microsoft has released security updates. These should be applied to all vulnerable systems.
It is possible to mitigate the vulnerability by disabling NFSv4.1. To do so execute the following PowerShell command:
|PS C:\Set-NfsServerConfiguration -EnableNFSV4 $false|
To restart NFS server, start a cmd window with Run as Administrator, enter the following commands:
- nfsadmin server stop
- nfsadmin server start