GEN:SID | 1:587 |
Message | RPC portmap status request UDP |
Summary | This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) statd is listening.
|
Impact | Information disclosure. This request is used to discover which port statd is using. Attackers can also learn what versions of the statd protocol are accepted by statd.
|
Detailed Information | The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as statd run. The statd RPC service manages Network File System (NFS) locks for exclusive access to a remote file. Multiple vulnerabilities that have allowed execution of arbitrary commands as root have been associated with statd.
|
Affected Systems | Multiple; refer to your vendor for specific information.
|
Attack Scenarios | An attacker can query the portmapper to discover the port where statd runs. This may be a precursor to accessing statd.
|
Ease of Attack | Simple.
|
Corrective Action | Limit remote access to RPC services.
Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines.
Disable unneeded RPC services.
|
Additional References | Arachnids http://www.whitehats.com/info/IDS15
|
Rule References | arachnids: 15
|