Rule:

--
Sid:
2014

--
Summary:
Remote Procedure Call (RPC) is a facility that enables a machine to 
request a service from another remote machine. This is done without the 
need for detailed network information. Some versions of RPC have a 
vulnerability that allows an a remote host to register (and un-register)
applications from a spoofed source.

--
Impact:
Possible denial of service (DoS) against the target host. Potential 
remote root compromise of the target system.

--
Detailed Information:
Certain versions of rpcbind portmapper contain a flaw that could allow 
an attacker capable of spoofing TCP packets to set and unset calls to 
arbitrary RPC programs.

A denial of service could be instigated against the target machine that 
could render network file system services and other such network 
available services unavailable to network users.

It is also possible for the attacker to gain super user access depending
on the RPC service he is able to register. This could then lead to a
compromise of all resources on the network the victim is attached to.

--
Affected Systems:
All machines running vulnerable RPC services.

--
Attack Scenarios:
The attacker could potentially spoof TCP packets for pmap_set to 
register an RPC service. The attacker might also spoof TCP packets to 
un-register needed services via pmap_unset.

--
Ease of Attack:
Simple

--
False Positives:
None Known

--
False Negatives:
None Known

--
Corrective Action:
RPC services should not be available outside the local area network, 
filter RPC ports at the firewall to ensure access is denied to RPC 
enabled machines.

RPC services should also be disabled where not needed.

--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:

BugTraq:
http://www.securityfocus.com/bid/1892

--