Описание
rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0.2-rc3, and NTIRPC through 1.4.3 do not consider the maximum RPC data size during memory allocation for XDR strings, which allows remote attackers to cause a denial of service (memory consumption with no subsequent free) via a crafted UDP packet to port 111, aka rpcbomb.
It was found that due to the way rpcbind uses libtirpc (libntirpc), a memory leak can occur when parsing specially crafted XDR messages. An attacker sending thousands of messages to rpcbind could cause its memory usage to grow without bound, eventually causing it to be terminated by the OOM killer.
Отчет
In the default system configuration, with the sysctl variable vm.overcommit_memory set to either 0 (the default) or 1, an attack would take a not-insignificant amount of time to exhaust the system's memory. If vm.overcommit_memory is set to a value of 2, the time required to exhaust system memory is sufficiently reduced. It was further noticed that, a 32-bit system would have its memory exhausted faster than a 64-bit system.
Меры по смягчению последствий
rpcbind should be protected by iptables so that only trusted hosts that require access can reach it (eg, nfs clients). Applying per-IP rate limits in iptables will also significantly limit the impact of this attack. The default iptables rules in the system-config-firewall or firewalld package deny all remote access to rpcbind. If you elect to run your system with overcommit turned off, daemons should have memory limits enforced by the init system to ensure stability. With systemd, use directives such as LimitAS in unit files. With upstart, place ulimit commands in /etc/sysconfig/$daemon.
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0.2-rc3, and NTIRPC through 1.4.3 do not consider the maximum RPC data size during memory allocation for XDR strings, which allows remote attackers to cause a denial of service (memory consumption with no subsequent free) via a crafted UDP packet to port 111, aka rpcbomb.
rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0.2-rc3, and NTIRPC through 1.4.3 do not consider the maximum RPC data size during memory allocation for XDR strings, which allows remote attackers to cause a denial of service (memory consumption with no subsequent free) via a crafted UDP packet to port 111, aka rpcbomb.
rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0 ...
EPSS
7.5 High
CVSS3