RPC portmapper security risk

Anyone ever heard of this security risk or have any useful links. Ive done some research but have limited information.

Anyone ever heared of or dealt with this?

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

sprkymrk

Wow, RPC and a vulnerability? No way! :P

Honestly, there are dozens of vulnerabilities with RPC. DNS, Exchange, DCOM, spoofing, buffer overflows, even third party products like Backup Exec - you name the OS or program, if it uses RPC, you can find a flaw.

Sorry I can't help out with your specific query without a little more information. Since it's Pashby I'm talking to, I know you've already tried google.

Pash

sprkymrk wrote:

Wow, RPC and a vulnerability? No way! :P

Honestly, there are dozens of vulnerabilities with RPC. DNS, Exchange, DCOM, spoofing, buffer overflows, even third party products like Backup Exec - you name the OS or program, if it uses RPC, you can find a flaw.

Sorry I can't help out with your specific query without a little more information. Since it's Pashby I'm talking to, I know you've already tried google.

I have googled until my my fingers hurt

I understand the vunrelabilities of RPC but seemingly this is supposed to be regarding the RPC port mapping service, which I thought was for Unix systems only.

Thanks anyway mark!

JDMurray

The RPC vulnerabilities with DCOM are rather old (2003) and have been patched for years. Here a paper on it at SANS and a mention of the exploit on ZDNet.

sprkymrk

JDMurray wrote:

The RPC vulnerabilities with DCOM are rather old (2003) and have been patched for years. Here a paper on it at SANS and a mention of the exploit on ZDNet.

I was only using that as 1 of many examples about the problems with RPC over the years. Every few months you can count on another one.

Pash, here are a few CVE's that have something to do with RPC for 2007, probably not too helpful, but I don't know exactly what the port mapper vulnerability is.

CVE-2007-5601
CVE-2007-5462
CVE-2007-5326
CVE-2007-4000
CVE-2007-3999
CVE-2007-3509
CVE-2007-2798
CVE-2007-2442
CVE-2007-2228
CVE-2007-1748
CVE-2007-0165

Maybe if you have a little more information - like was this another one of those scans done by so-called "security experts" where you just get a canned list of issues?

Pash

Thanks JD ill check those links

sprkymrk wrote:

JDMurray wrote:

The RPC vulnerabilities with DCOM are rather old (2003) and have been patched for years. Here a paper on it at SANS and a mention of the exploit on ZDNet.

I was only using that as 1 of many examples about the problems with RPC over the years. Every few months you can count on another one.

Pash, here are a few CVE's that have something to do with RPC for 2007, probably not too helpful, but I don't know exactly what the port mapper vulnerability is.

CVE-2007-5601
CVE-2007-5462
CVE-2007-5326
CVE-2007-4000
CVE-2007-3999
CVE-2007-3509
CVE-2007-2798
CVE-2007-2442
CVE-2007-2228
CVE-2007-1748
CVE-2007-0165

Maybe if you have a little more information - like was this another one of those scans done by so-called "security experts" where you just get a canned list of issues?

Correct mark it was from my friends at IBM

. Their recommendation is to block TCP & UDP port 111 http://www.auditmypc.com/port/tcp-port-111.asp http://www.auditmypc.com/port/udp-port-111.asp but they say the security risk is low. I have never heared of these vunrebilities and they only appear on our clients windows servers. I looked for a RPC port mapping service but there was no service like that running, only the RPC locator service which didnt have any services dependent on it running. I dont really wanna go blocking ports on critical servers without getting more info.

Ill check those CVE's out.

Thanks again guys!

sprkymrk

Correct mark it was from my friends at IBM . Their recommendation is to block TCP & UDP port 111

Sounds like they just had to throw that in to justify their latest bill. I would say you can safely ignore it, or else ask them for the DETAILED report on that recommendation and related CVE/KB/CERT Advisory before you do any port blocking.

Another option might be (if you are allowed) to run your own scan using something like the free Microsoft Baseline Security Analyzer and see if anything like that pops up.