Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2017-8779

Опубликовано: 04 мая 2017
Источник: debian
EPSS Высокий

Описание

rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0.2-rc3, and NTIRPC through 1.4.3 do not consider the maximum RPC data size during memory allocation for XDR strings, which allows remote attackers to cause a denial of service (memory consumption with no subsequent free) via a crafted UDP packet to port 111, aka rpcbomb.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
rpcbindfixed0.2.3-0.6package
libtirpcfixed0.2.5-1.2package
ntirpcfixed1.4.4-1package

Примечания

  • https://www.openwall.com/lists/oss-security/2017/05/04/1

  • https://github.com/guidovranken/rpcbomb/

  • For rpcbind, 0.2.3-0.6 upload was based on Guido Vranken 's patch in

  • https://github.com/guidovranken/rpcbomb/blob/master/rpcbind_patch.txt

  • Upstream patch: https://git.linux-nfs.org/?p=steved/rpcbind.git;a=commit;h=7ea36eeece56b59f98e469934e4c20b4da043346 (rpcbind-0_2_5-rc1)

  • Followup for typo: https://git.linux-nfs.org/?p=steved/rpcbind.git;a=commitdiff;h=c49a7ea639eb700823e174fd605bbbe183e229aa (rpcbind-0_2_5-rc2)

EPSS

Процентиль: 99%
0.83225
Высокий

Связанные уязвимости

ubuntu логотип

CVE-2017-8779

CVSS3: 7.5
ubuntu
больше 8 лет назад

rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0.2-rc3, and NTIRPC through 1.4.3 do not consider the maximum RPC data size during memory allocation for XDR strings, which allows remote attackers to cause a denial of service (memory consumption with no subsequent free) via a crafted UDP packet to port 111, aka rpcbomb.

redhat логотип

CVE-2017-8779

CVSS3: 7.5
redhat
больше 8 лет назад

rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0.2-rc3, and NTIRPC through 1.4.3 do not consider the maximum RPC data size during memory allocation for XDR strings, which allows remote attackers to cause a denial of service (memory consumption with no subsequent free) via a crafted UDP packet to port 111, aka rpcbomb.

nvd логотип

CVE-2017-8779

CVSS3: 7.5
nvd
больше 8 лет назад

rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0.2-rc3, and NTIRPC through 1.4.3 do not consider the maximum RPC data size during memory allocation for XDR strings, which allows remote attackers to cause a denial of service (memory consumption with no subsequent free) via a crafted UDP packet to port 111, aka rpcbomb.

suse-cvrf логотип

openSUSE-SU-2017:1412-1

suse-cvrf
больше 8 лет назад

Security update for rpcbind

suse-cvrf логотип

openSUSE-SU-2017:1381-1

suse-cvrf
больше 8 лет назад

Security update for libtirpc

EPSS

Процентиль: 99%
0.83225
Высокий
Уязвимость CVE-2017-8779