rpcbind still vulnerable with CVE-2017-8779
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
rpcbind (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Marc Deslauriers |
Bug Description
The site (https:/
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable (0.2.3-0.6)
I'm using an NVIDIA Jetson AGX containing rpcbind on the environment.
$ apt list | grep rpcbind
rpcbind/
$ cat /etc/os-release
NAME="Ubuntu"
VERSION="18.04.5 LTS (Bionic Beaver)"
ID=ubuntu
When I tried 'rpcbomb' attack with using Metasploit then found it was successfully done.
msf6 > use auxiliary/
msf6 auxiliary(
msf6 auxiliary(
In other words rpcbind was caused memory consumptions, which led to 43GB+ memory usage in the end.
I don't know if this is a bug or some degradation, but could be a vulnerability causing a DOS attack, so let me report it.
CVE References
Changed in rpcbind (Ubuntu): | |
status: | New → Fix Released |
Changed in rpcbind (Ubuntu Bionic): | |
status: | New → In Progress |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
I can confirm the upstream patches for CVE-2017-8779, while solving the original issue, don't solve the issue caused by running the original exploit in a loop and doing small allocations until memory consumption grows to a large number. This no longer works in Focal, so we may need to investigate what changed in rpcbind and libtirpc to determine what to backport.