CVE-2007-5964
Description
Missing nosuid option in autofs defaults (hosts map) allows local users to gain privileges via a setuid binary on a remote NFS share.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing `nosuid` option in autofs defaults (hosts map) allows local users to gain privileges via a setuid binary on a remote NFS share.
Vulnerability
The default configuration of autofs 5 shipped in some Linux distributions, notably Red Hat Enterprise Linux (RHEL) 5, omits the nosuid mount option for the /net (hosts) map. This means that when a user accesses an NFS export via the autofs automounter, the filesystem is mounted with the suid attribute enabled by default. Affected versions include autofs 5 as delivered in RHEL 5 [1][2].
Exploitation
An attacker who controls a remote NFS server can place a setuid-root binary on an exported filesystem. A local user on the affected system who then accesses that export (e.g., by changing into /net/<attacker_host>/) will cause the automounter to mount the share. The absence of nosuid allows the setuid bit to be honored. The user can then execute the malicious binary, escalating privileges. No special authentication or prior access is required beyond standard network connectivity and the ability to mount an NFS share [1][2].
Impact
Successful exploitation gives the attacker the ability to execute arbitrary code with the privileges of the setuid binary (often root). This results in a full compromise of the local system, including complete control over files, processes, and configurations. The impact is limited to systems running the vulnerable default autofs configuration [1][2].
Mitigation
Red Hat released updated packages (RHSA-2007-1128 for RHEL 5 Server, RHSA-2007-1129 for RHEL 5 Client) that modify the default configuration to include the nosuid option for the hosts map. System administrators should apply these updates or manually add nosuid to the /etc/auto.master entry for /net. No other practical workarounds exist; systems that remain unpatched continue to be exposed [1][2].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- cpe:2.3:o:redhat:enterprise_linux:5.0:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The default autofs configuration omits the nosuid mount option for the /net (-hosts) map, allowing setuid binaries on remote NFS shares to grant root privileges to local unprivileged users."
Attack vector
An attacker sets up a remote NFS server that exports a directory containing a setuid-root binary. A local unprivileged user on the target system (where autofs is running and the `/net` map lacks the `nosuid` option) changes directory to `/net/<nfs_server>/<exported_path>/` and executes the setuid binary [ref_id=1]. Because the NFS share is mounted without `nosuid`, the binary runs with effective UID 0, giving the local user full root privileges [ref_id=1].
Affected code
The default autofs configuration in `/etc/auto.master` on RHEL 5 and Fedora 8 omits the `nosuid` option for the `-hosts` map that manages `/net` mounts [ref_id=1]. No source code patch is provided; the fix is a configuration change to the `auto.master` file.
What the fix does
The advisory recommends editing `/etc/auto.master` and changing the line `/net -hosts` to `/net -nosuid -hosts` [ref_id=1]. Adding the `nosuid` mount option prevents setuid bits on the mounted NFS filesystem from being honored, so any setuid binary placed on the remote NFS server will execute with the privileges of the invoking user rather than with root privileges [ref_id=1]. No software patch is provided; the remediation is a configuration hardening step.
Preconditions
- configautofs must be running on the target system
- configThe /etc/auto.master configuration for /net must lack the nosuid option (default on RHEL 5 and Fedora 8)
- networkAttacker must control an NFS server that exports a directory containing a setuid-root binary
- authAttacker must have a local unprivileged shell account on the target system
Reproduction
1. On an NFS server you control, export a directory containing a setuid-root binary. 2. On the target system (RHEL 5 or Fedora 8 with default autofs config), ensure autofs is running. 3. As a non-root user, run `cd /net/<nfs_server>/<exported_path>/` then execute the setuid binary. The binary runs with effective UID 0 [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
14- bugzilla.redhat.com/show_bug.cginvdExploit
- secunia.com/advisories/28052nvdVendor Advisory
- secunia.com/advisories/28097nvdVendor Advisory
- secunia.com/advisories/28456nvdVendor Advisory
- osvdb.org/40441nvd
- securitytracker.com/idnvd
- www.mandriva.com/security/advisoriesnvd
- www.redhat.com/support/errata/RHSA-2007-1128.htmlnvd
- www.redhat.com/support/errata/RHSA-2007-1129.htmlnvd
- www.securityfocus.com/bid/26841nvd
- bugzilla.redhat.com/show_bug.cginvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10158nvd
- www.redhat.com/archives/fedora-package-announce/2007-December/msg00474.htmlnvd
- www.redhat.com/archives/fedora-package-announce/2007-December/msg00549.htmlnvd
News mentions
0No linked articles in our index yet.