GEN:SID | 1:580 |
Message | RPC portmap nisd request UDP |
Summary | This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) nisd is listening.
|
Impact | Information disclosure. This request is used to discover which port nisd is using. Attackers can also learn what versions of the nisd protocol are accepted by nisd.
|
Detailed Information | The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as nisd run. The nisd RPC service implements Network Information Systems (NIS and NIS+). NIS and NIS+ provide centralized management and distribution of information about resources, such as users and hosts, in a network domain. A buffer overflow exists because of improper bounds checking, which can lead to execution of arbitrary commands on the host.
|
Affected Systems | Solaris 2.3 - 2.6 hosts running NIS+.
|
Attack Scenarios | An attacker can query the portmapper to discover the port where nisd runs. This may be a precursor to accessing nisd.
|
Ease of Attack | Simple.
|
Corrective Action | Limit remote access to RPC services.
Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines.
Disable unneeded RPC services.
|
Additional References | Bugtraq http://www.securityfocus.com/bid/677
CERT http://www.cert.org/advisories/CA-98.06.nisd.html
Arachnids http://www.whitehats.com/info/IDS21
|
Rule References | arachnids: 21
|