Rule: -- Sid: 2014 -- Summary: Remote Procedure Call (RPC) is a facility that enables a machine to request a service from another remote machine. This is done without the need for detailed network information. Some versions of RPC have a vulnerability that allows an a remote host to register (and un-register) applications from a spoofed source. -- Impact: Possible denial of service (DoS) against the target host. Potential remote root compromise of the target system. -- Detailed Information: Certain versions of rpcbind portmapper contain a flaw that could allow an attacker capable of spoofing TCP packets to set and unset calls to arbitrary RPC programs. A denial of service could be instigated against the target machine that could render network file system services and other such network available services unavailable to network users. It is also possible for the attacker to gain super user access depending on the RPC service he is able to register. This could then lead to a compromise of all resources on the network the victim is attached to. -- Affected Systems: All machines running vulnerable RPC services. -- Attack Scenarios: The attacker could potentially spoof TCP packets for pmap_set to register an RPC service. The attacker might also spoof TCP packets to un-register needed services via pmap_unset. -- Ease of Attack: Simple -- False Positives: None Known -- False Negatives: None Known -- Corrective Action: RPC services should not be available outside the local area network, filter RPC ports at the firewall to ensure access is denied to RPC enabled machines. RPC services should also be disabled where not needed. -- Contributors: Sourcefire Research Team Brian Caswell <bmc@sourcefire.com> Nigel Houghton <nigel.houghton@sourcefire.com> -- Additional References: BugTraq: http://www.securityfocus.com/bid/1892 --