Solved

CVM's running NFS server risk

  • 8 January 2019
  • 1 reply
  • 471 views

Userlevel 1
Badge +12
I just had a security scan done against my cluster running AOS 5.5.6 and the only 'high' risk that came back was with cve-id CVE-1999-0548 (NFS Server Without Shares Detected):

Description;
A superfluous NFS server that is not sharing any file systems has been detected.
How to Fix;
Disable the NFS server.

Obliviously, I don't think I want to disable the NFS server service on all of my cvm's - is there any official documentation that I can share with my peers to support this so that I can get an exemption from this risk on these systems?
icon

Best answer by danny_sre 25 November 2019, 21:03

Hi Mandg!

 

Since the CVM’s are the storage controllers for the environment we would not want to disable NFS. This is particularly true if the hypervisors are ESXi ( ref: https://portal.nutanix.com/#/page/kbs/details?targetId=kA032000000TStNCAW ) 


Note the following:

CVM, Stargate service is always listening on ports 2049 (NFS), 3261/3260 (iSCSi), 445 (SMB), no matter what kind of hypervisor we are using. This can cause security scan warnings for vulnerabilities on CVM in the environment.

 

Please review and let me know if you have any additional questions. 

 

Thanks!

 

DannyR

 

View original

1 reply

Badge

Hi Mandg!

 

Since the CVM’s are the storage controllers for the environment we would not want to disable NFS. This is particularly true if the hypervisors are ESXi ( ref: https://portal.nutanix.com/#/page/kbs/details?targetId=kA032000000TStNCAW ) 


Note the following:

CVM, Stargate service is always listening on ports 2049 (NFS), 3261/3260 (iSCSi), 445 (SMB), no matter what kind of hypervisor we are using. This can cause security scan warnings for vulnerabilities on CVM in the environment.

 

Please review and let me know if you have any additional questions. 

 

Thanks!

 

DannyR

 

Reply