Inattentive system administrators are using older versions of the NFS protocol for their data storage servers, and by doing so, they are exposing private or sensitive files to the Internet.
NFS stands for Network File System and is the name of a computer protocol that describes procedures on how to connect and access files via a network connection, usually on port 111 or 2049.
The protocol is most of the time used in enterprise environments where administrators enable central data storage files and allow employees to access it via NFS.
Problems come from using NFSv3 over NFSv4
Misconfigurations in these servers, such as using its insecure NFSv3 version over the NFSv4, or by leaving the server accessible via the Internet, can have catastrophic consequences.
Fortinet, a US-based security firm, says that a quick scan using Shodan had yielded tens of thousands of servers exposed via their NFS port. The company says that 10.6 percent (about one in ten) of all NFS servers it scanned were accessible without a password.
The problem lies with using NFSv3, an outdated version of the protocol. For its latest release, NFSv4, the protocol has been modified to use Kerberos to provide a basic level of authentication, but there are still plenty of admins running the older version,
Servers expose backups, source code, image files
Fortinet’s Tien Phan says that during the company’s research, he sometimes accessed some of the vulnerable servers and found all kinds of sensitive information. The list includes server logs, server backups, the source code of various websites, and server image files.
Most of these exposed servers were located in countries such as the US (18,843 servers), China (11,608), France (10,744), Germany (7,188), and Russia (5,269).
companies a set of mitigation techniques in order to avoid exposing sensitive files online. First and foremost, companies should switch to the newer NFSv4 protocol that provides a basic level of authentication.
Second, if upgrading is not technically possible, which should be rare, IT administrators should use firewalls to block access to the servers based on an internal list of IP addresses, known to originate from inside the company.