CVE-2020-24394 Overview
CVE-2020-24394 is a vulnerability in the Linux kernel's NFS server implementation that allows incorrect permissions to be set on new filesystem objects when the underlying filesystem lacks ACL (Access Control List) support. The flaw exists in fs/nfsd/vfs.c where the current umask is not properly considered during file creation operations, potentially exposing sensitive data or allowing unauthorized file modifications.
Critical Impact
Local authenticated attackers can exploit this vulnerability to create files with overly permissive access rights, leading to unauthorized data access or modification on NFS-exported filesystems.
Affected Products
- Linux Kernel (versions before 5.7.8)
- Canonical Ubuntu Linux (14.04 ESM, 16.04 ESM, 18.04 LTS, 20.04 LTS)
- openSUSE Leap 15.1
- Oracle SD-WAN Edge 8.2
- StarWind Virtual SAN v8 (multiple builds including 12533, 12658, 12859, 13170, 13586, 13861)
Discovery Timeline
- 2020-08-19 - CVE-2020-24394 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-24394
Vulnerability Analysis
This vulnerability stems from improper permission handling in the Linux kernel's NFS server daemon (nfsd). When files or directories are created on an NFS-exported filesystem that does not support POSIX ACLs, the NFS server fails to apply the process's current umask setting. This results in newly created filesystem objects inheriting permissions that may be more permissive than intended by the system's security policy.
The issue is particularly concerning in multi-user environments where NFS shares are commonly used for file sharing. Without proper umask enforcement, sensitive files could be created with world-readable or world-writable permissions, violating the principle of least privilege and potentially exposing confidential data to unauthorized users.
Root Cause
The root cause lies in the fs/nfsd/vfs.c file where the NFS server handles file and directory creation requests. When the underlying filesystem does not support ACLs, the code path responsible for setting permissions on new objects fails to incorporate the calling process's umask value. This is tracked as CID-22cf8419f131. The vulnerability is classified under CWE-732 (Incorrect Permission Assignment for Critical Resource), indicating a fundamental flaw in how access rights are assigned to sensitive system resources.
Attack Vector
The attack requires local access to the system with valid credentials. An authenticated user mounting an NFS share can create files or directories that receive permissions broader than what the umask would normally restrict. This can be exploited to:
- Create files readable by other users who should not have access
- Establish world-writable directories that could be abused for privilege escalation chains
- Bypass organizational security policies that rely on umask settings for access control
The exploitation does not require any user interaction beyond the attacker's own actions and has a low complexity barrier once the attacker has authenticated local access.
Detection Methods for CVE-2020-24394
Indicators of Compromise
- Unexpected world-readable or world-writable files on NFS-mounted filesystems lacking ACL support
- Files created via NFS with permissions inconsistent with the server's configured umask settings
- Anomalous permission patterns on recently created files in NFS export directories
Detection Strategies
- Monitor NFS-exported directories for files created with permissions more permissive than umask would allow
- Audit file creation events on NFS shares using filesystem monitoring tools
- Implement periodic permission scans comparing actual vs. expected file permissions based on umask policies
Monitoring Recommendations
- Enable NFS server access logging to track file creation operations
- Deploy host-based intrusion detection to identify suspicious permission patterns
- Establish baseline permission profiles for NFS shares and alert on deviations
How to Mitigate CVE-2020-24394
Immediate Actions Required
- Update the Linux kernel to version 5.7.8 or later on all systems running NFS server
- Apply vendor-specific patches from Ubuntu, openSUSE, Oracle, or StarWind as appropriate for your deployment
- Audit existing files on NFS exports for incorrect permissions and remediate as needed
Patch Information
The vulnerability is addressed in Linux kernel version 5.7.8 and later. The specific fix is documented in commit 22cf8419f1319ff87ec759d0ebdff4cbafaee832. For detailed information, consult the Linux Kernel ChangeLog v5.7.8 or review the kernel commit directly.
Vendor-specific advisories are available from Ubuntu Security Notices, openSUSE Security Announcements, Oracle CPU April 2021, and StarWind Security Advisory SW-20210325-0004.
Workarounds
- Use filesystems with ACL support for NFS exports where possible, as ACL-enabled filesystems handle permissions differently
- Implement additional permission restrictions at the NFS export configuration level using anonuid, anongid, and restrictive export options
- Apply mandatory access control systems like SELinux or AppArmor to provide defense-in-depth while awaiting kernel updates
- Consider temporarily limiting NFS exports to trusted clients until patches can be applied
# Example: Review current NFS exports and check filesystem ACL support
cat /etc/exports
# Check if filesystem supports ACLs
tune2fs -l /dev/sdXN | grep "Default mount options"
# Verify kernel version after patching
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
