Date: 30 April 2003
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2003.0326 -- Sun Alert Notification
rpcbind(1M) May be Terminated by Unprivileged Client Applications
30 April 2003
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: rpcbind
Publisher: Sun Microsystems
Operating System: Solaris 9
Solaris 8
Solaris 7
Solaris 2.6
Platform: Solaris
x86
Impact: Denial of Service
Access Required: Remote
Comment: Original Sun security bulletin is available at:
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50922
- --------------------------BEGIN INCLUDED TEXT--------------------
Sun(sm) Alert Notification
Sun Alert ID: 50922
Synopsis: rpcbind(1M) May be Terminated by Unprivileged Client Applications,
Leading to Denial of RPC Services
Category: Security
Product: Solaris
BugIDs: 4710928
Avoidance: Patch
State: Resolved
Date Released: 28-Apr-2003
Date Closed: 28-Apr-2003
Date Modified:
1. Impact
rpcbind(1M) may be terminated by a local or remote unprivileged user. This
would cause a denial of service to RPC applications hosted on the affected
system.
2. Contributing Factors
This issue can occur in the following releases:
SPARC Platform
Solaris 2.6 without patch 105401-42
Solaris 7 without patch 106942-25
Solaris 8 without patch 108827-40 and without patch 108993-18
Solaris 9 without patch 113319-07
x86 Platform
Solaris 2.6 without patch 105402-42
Solaris 7 without patch 106943-25
Solaris 8 without patch 108828-40 and without patch 108994-18
Solaris 9 without patch 113719-07
Solaris 2.5.1 will not be evaluated regarding the potential impact of the
issue described in this Sun Alert document.
Note: Patch 108827-40 has been obsoleted by patch 108993-18. Patch 108828-40
has been obsoleted by patch 108994-18.
3. Symptoms
The "rpcbind" process is no longer running.
When executed, the rpcinfo(1M) command will display an error message as in
the following example:
$ rpcinfo
rpcinfo: can't contact rpcbind: RPC: Rpcbind failure - RPC: Failed (unspecified error)
4. Relief/Workaround
As a precaution, consider refusing access to rpcbind(1M) from untrusted
networks. This can be achieved by blocking connections from untrusted
networks to ports used by rpcbind(1M) (typically ports 111/UDP and
111/TCP; use "rpcinfo | grep rpcbind" to determine UDP/TCP ports in use
by rpcbind(1M))
To facilitate restarting rpcbind(1M), consider generating a list of
currently registered RPC services. This can be done by once terminating
the "rpcbind" process with a "TERM" signal after all hosted RPC services
have been started and restarting it with the "-w " option:
# pkill -TERM rpcbind
# /usr/sbin/rpcbind -w
As a result, the "rpcbind" process will write a list of all currently
registered RPC services to the "/tmp/rpcbind.file" and /"tmp/portmap.file"
files.
Should the "rpcbind" process exit unexpectedly later it can be restarted
with the "-w" option to re-register RPC services available at the time the
"pkill -TERM rpcbind" was issued:
# /usr/sbin/rpcbind -w
This will eliminate the need to restart hosted RPC services after
restarting rpcbind(1M).
5. Resolution
This issue is addressed in the following releases:
SPARC Platform
Solaris 2.6 with patch 105401-42 or later
Solaris 7 with patch 106942-25 or later
Solaris 8 with patch 108827-40 (patch 108827-40 has been obsoleted by patch 108993-18)
Solaris 8 with patch 108993-18 or later
Solaris 9 with patch 113319-07 or later
x86 Platform
Solaris 2.6 with patch 105402-42 or later
Solaris 7 with patch 106943-25 or later
Solaris 8 with patch 108828-40 (patch 108828-40 has been obsoleted by patch 108994-18)
Solaris 8 with patch 108994-18 or later
Solaris 9 with patch 113719-02 or later
This Sun Alert notification is being provided to you on an "AS IS" basis.
This Sun Alert notification may contain information provided by third parties.
The issues described in this Sun Alert notification may or may not impact your
system(s). Sun makes no representations, warranties, or guarantees as to the
information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING
THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun
Alert notification contains Sun proprietary and confidential information. It
is being provided to you pursuant to the provisions of your agreement to
purchase services from Sun, or, if you do not have such an agreement, the
Sun.com Terms of Use. This Sun Alert notification may only be used for the
purposes contemplated by these agreements.
Copyright 2000-2003 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
CA 95054 U.S.A. All rights reserved.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBPq/lFSh9+71yA2DNAQFYKgP9EgboACuK4gsT7Zo09Cb0uMzvMXRSd0jF
9sKdnRa6Y3+ht5+CLHPu7Mf1jJSuDREjHKAJIFqu+kO+osOaN6+ex1wrzNS+EBBJ
iqMK25r2/1bo977HTp5xxEmEFromcLZIWnwBcq1CbzIJS3XQPxBc67rAftPffw1Y
MjgNbRYKM+M=
=Uegk
-----END PGP SIGNATURE-----
|