CVE-2019-3689

Name of the Vulnerable Software and Affected Versions nfs-utils versions prior to 1.3.0-34.18.1 nfs-utils versions prior to 2.1.1-6.10.2

Description The issue is related to the incorrect assignment of standard permissions in the nsm drop privileges function of the nfs-utils package. This can allow a remote attacker to access confidential data, compromise its integrity, and trick processes running with root privileges into creating or overwriting files anywhere on the system. The directory /var/lib/nfs is owned by statd:nogroup and contains files owned and managed by root, which can be exploited if statd is compromised.

Recommendations For versions prior to 1.3.0-34.18.1, update to a version later than 1.3.0-34.18.1 to resolve the issue. For versions prior to 2.1.1-6.10.2, update to a version later than 2.1.1-6.10.2 to resolve the issue. As a temporary workaround, consider restricting access to the /var/lib/nfs directory to minimize the risk of exploitation.