Note: This is an archival copy of Security Sun Alert 228554 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1017448.1.
Article ID : 1017448.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2003-02-18
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

rpcbind(1M) May be Terminated by Unprivileged Client Applications, Leading to Denial of RPC Services

Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 2.6 Operating System
Solaris 7 Operating System
Solaris 8 Operating System

Bug Id
4710928

Date of Resolved Release
28-APR-2003

Impact

rpcbind(1M) may be terminated by a local or remote unprivileged user. This would cause a denial of service to RPC applications hosted on the affected system.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 2.6 without patch 105401-42
  • Solaris 7 without patch 106942-25
  • Solaris 8 without patch 108827-40 and without patch 108993-18
  • Solaris 9 without patch 113319-07

x86 Platform

  • Solaris 2.6 without patch 105402-42
  • Solaris 7 without patch 106943-25
  • Solaris 8 without patch 108828-40 and without patch 108994-18
  • Solaris 9 without patch 113719-07

Solaris 2.5.1 will not be evaluated regarding the potential impact of the issue described in this Sun Alert document.

Note: Patch 108827-40 has been obsoleted by patch 108993-18. Patch 108828-40 has been obsoleted by patch 108994-18.


Symptoms

The "rpcbind" process is no longer running.

When executed, the rpcinfo(1M) command will display an error message as in the following example: 

    $ rpcinfo
rpcinfo: can't contact rpcbind: RPC: Rpcbind failure - RPC: Failed (unspecified error)

Workaround

As a precaution, consider refusing access to rpcbind(1M) from untrusted networks. This can be achieved by blocking connections from untrusted networks to ports used by rpcbind(1M) (typically ports 111/UDP and 111/TCP; use "rpcinfo | grep rpcbind" to determine UDP/TCP ports in use by rpcbind(1M))

To facilitate restarting rpcbind(1M), consider generating a list of currently registered RPC services. This can be done by once terminating the "rpcbind" process with a "TERM" signal after all hosted RPC services have been started and restarting it with the "-w " option: 

    # pkill -TERM rpcbind
# /usr/sbin/rpcbind -w

As a result, the "rpcbind" process will write a list of all currently registered RPC services to the "/tmp/rpcbind.file" and /"tmp/portmap.file" files.

Should the "rpcbind" process exit unexpectedly later it can be restarted with the "-w" option to re-register RPC services available at the time the "pkill -TERM rpcbind" was issued: 

    # /usr/sbin/rpcbind -w

This will eliminate the need to restart hosted RPC services after restarting rpcbind(1M).


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 2.6 with patch 105401-42 or later
  • Solaris 7 with patch 106942-25 or later
  • Solaris 8 with patch 108827-40 (patch 108827-40 has been obsoleted by patch 108993-18)
  • Solaris 8 with patch 108993-18 or later
  • Solaris 9 with patch 113319-07 or later

x86 Platform

  • Solaris 2.6 with patch 105402-42 or later
  • Solaris 7 with patch 106943-25 or later
  • Solaris 8 with patch 108828-40 (patch 108828-40 has been obsoleted by patch 108994-18)
  • Solaris 8 with patch 108994-18 or later
  • Solaris 9 with patch 113719-02 or later


Modification History

References
 105401-42

 105402-42

 106942-25

 106943-25

 108827-40

 108828-40

 108993-18

 108994-18

 113319-07

 113719-02



                                                                                        


Attachments
This solution has no attachment