Ubuntu
rpcbind package

rpcbind still vulnerable with CVE-2017-8779

Bug #1925280 reported by Takeshi Hatae
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
rpcbind (Ubuntu)
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Marc Deslauriers

Bug Description

The site (https://ubuntu.com/security/CVE-2017-8779), indicates "Not Vulnerable" regarding environment
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable (0.2.3-0.6)

I'm using an NVIDIA Jetson AGX containing rpcbind on the environment.
$ apt list | grep rpcbind
rpcbind/bionic-updates,now 0.2.3-0.6ubuntu0.18.04.1 arm64 [installed]
$ cat /etc/os-release
NAME="Ubuntu"
VERSION="18.04.5 LTS (Bionic Beaver)"
ID=ubuntu

When I tried 'rpcbomb' attack with using Metasploit then found it was successfully done.
msf6 > use auxiliary/dos/rpc/rpcbomb
msf6 auxiliary(dos/rpc/rpcbomb) > set RHOSTS <IPaddress>
msf6 auxiliary(dos/rpc/rpcbomb) > run

In other words rpcbind was caused memory consumptions, which led to 43GB+ memory usage in the end.
I don't know if this is a bug or some degradation, but could be a vulnerability causing a DOS attack, so let me report it.

CVE References

Revision history for this message
Takeshi Hatae (takeshi200ok) wrote :
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I can confirm the upstream patches for CVE-2017-8779, while solving the original issue, don't solve the issue caused by running the original exploit in a loop and doing small allocations until memory consumption grows to a large number. This no longer works in Focal, so we may need to investigate what changed in rpcbind and libtirpc to determine what to backport.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

So the issue turned out to be the wrong patch was used in the bionic package.

I have uploaded a new package for bionic to the security team PPA here:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

Could you possibly give it a try and comment here if it worked in your environment? If so, I'll release it as a security update.

Thanks!

Marc Deslauriers (mdeslaur)
Changed in rpcbind (Ubuntu):
status: New → Fix Released
Changed in rpcbind (Ubuntu Bionic):
status: New → In Progress
assignee: nobody → Marc Deslauriers (mdeslaur)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package rpcbind - 0.2.3-0.6ubuntu0.18.04.2

---------------
rpcbind (0.2.3-0.6ubuntu0.18.04.2) bionic-security; urgency=medium

  * SECURITY UPDATE: DoS via memory consumption (LP: #1925280)
    - debian/patches/CVE-2017-8779.patch: pair all svc_getargs() calls with
      svc_freeargs() to avoid memory leak in src/pmap_svc.c,
      src/rpcb_svc.c, src/rpcb_svc_4.c, src/rpcb_svc_com.c.
    - debian/patches/CVE-2017-8779-2.patch: fix building without
      --enable-debug in src/pmap_svc.c.
    - The patch included in 0.2.3-0.6 did not correctly fix this issue.
    - CVE-2017-8779

 -- Marc Deslauriers <email address hidden> Tue, 08 Jun 2021 09:03:58 -0400

Changed in rpcbind (Ubuntu Bionic):
status: In Progress → Fix Released
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

An update has now been published to fix this issue:

https://ubuntu.com/security/notices/USN-4986-1

Thanks!

information type: Private Security → Public Security
Revision history for this message
Takeshi Hatae (takeshi200ok) wrote :

Hello Marc,

I confirmed the patch is perfectly working under the same test condition.
Thank you very much!

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for reporting the issue!

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.