nfs-utils: root-owned files stored in insecure /var/lib/nfs directory
Description
The nfs-utils package on SUSE Linux Enterprise Server sets insecure permissions on /var/lib/nfs, allowing a compromised statd to trick root processes into overwriting arbitrary files.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The nfs-utils package on SUSE Linux Enterprise Server sets insecure permissions on /var/lib/nfs, allowing a compromised statd to trick root processes into overwriting arbitrary files.
Vulnerability
In nfs-utils versions up to 1.3.0-34.18.1 on SUSE Linux Enterprise Server 12 and up to 2.1.1-6.10.2 on SUSE Linux Enterprise Server 15, the directory /var/lib/nfs is owned by statd:nogroup [1]. This directory contains files owned by root, such as etab, rmtab, and v4recovery. The insecure ownership allows any process with statd privileges to manipulate the directory and its contents.
Exploitation
An attacker who has compromised the statd service (or can control its actions) can place a symlink in /var/lib/nfs pointing to a target file anywhere on the system. The mountd process, which runs as root and opens rmtab following symlinks, can be tricked into creating or overwriting files at the attacker-chosen location [1].
Impact
Successful exploitation leads to arbitrary file write as root, potentially allowing privilege escalation or system compromise [1][2]. The attacker can overwrite critical system files, leading to denial of service, code execution, or full control of the system.
Mitigation
SUSE published updates for nfs-utils on 24 October 2019, changing ownership of /var/lib/nfs to root and adjusting statd to use /var/lib/nfs/sm for its data [1]. Ubuntu also released a fix in USN-4400-1 on 22 June 2020 [2]. Users should update nfs-utils to the patched versions. If patching is not possible, ensure that the statd service is not exposed to untrusted networks and limit access to the /var/lib/nfs directory.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
28- osv-coords25 versionspkg:rpm/opensuse/nfsidmap&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/nfs-utils&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/nfs-utils&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/rpmlint&distro=openSUSE%20Tumbleweedpkg:rpm/suse/nfs-utils&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/nfs-utils&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/nfs-utils&distro=SUSE%20Enterprise%20Storage%205pkg:rpm/suse/nfs-utils&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP4pkg:rpm/suse/nfs-utils&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015pkg:rpm/suse/nfs-utils&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP1pkg:rpm/suse/nfs-utils&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSSpkg:rpm/suse/nfs-utils&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/nfs-utils&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/nfs-utils&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/nfs-utils&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/nfs-utils&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/nfs-utils&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/nfs-utils&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/nfs-utils&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/nfs-utils&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/nfs-utils&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/nfs-utils&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/nfs-utils&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/nfs-utils&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/nfs-utils&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208
< 1.0-26.2+ 24 more
- (no CPE)range: < 1.0-26.2
- (no CPE)range: < 2.1.1-lp150.4.10.1
- (no CPE)range: < 2.1.1-lp151.7.3.1
- (no CPE)range: < 2.1+git20210924.ad0cf53-1.1
- (no CPE)range: < 1.3.0-34.22.1
- (no CPE)range: < 1.3.0-34.22.1
- (no CPE)range: < 1.3.0-34.22.1
- (no CPE)range: < 1.3.0-34.22.1
- (no CPE)range: < 2.1.1-6.14.1
- (no CPE)range: < 2.1.1-10.4.1
- (no CPE)range: < 1.3.0-41.3.1
- (no CPE)range: < 1.3.0-34.22.1
- (no CPE)range: < 1.3.0-34.22.1
- (no CPE)range: < 1.3.0-34.22.1
- (no CPE)range: < 1.3.0-34.22.1
- (no CPE)range: < 1.3.0-34.22.1
- (no CPE)range: < 1.3.0-34.22.1
- (no CPE)range: < 1.3.0-41.3.1
- (no CPE)range: < 1.3.0-34.22.1
- (no CPE)range: < 1.3.0-34.22.1
- (no CPE)range: < 1.3.0-34.22.1
- (no CPE)range: < 1.3.0-34.22.1
- (no CPE)range: < 1.3.0-34.22.1
- (no CPE)range: < 1.3.0-34.22.1
- (no CPE)range: < 1.3.0-34.22.1
before and including version 1.3.0-34.18.1+ 1 more
- (no CPE)range: before and including version 1.3.0-34.18.1
- (no CPE)range: before and including version 2.1.1-6.10.2
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
6- lists.opensuse.org/opensuse-security-announce/2019-10/msg00071.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2019-11/msg00006.htmlmitrevendor-advisoryx_refsource_SUSE
- usn.ubuntu.com/4400-1/mitrevendor-advisoryx_refsource_UBUNTU
- bugzilla.suse.com/show_bug.cgimitrex_refsource_CONFIRM
- git.linux-nfs.orgmitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2019/10/msg00026.htmlmitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.