Multiple Vendor RPC portmapper Access Restriction Bypass

This script is Copyright (C) 2011-2014 Tenable Network Security, Inc.


Synopsis :

The RPC portmapper on the remote host has an access restriction bypass
vulnerability.

Description :

The RPC portmapper running on the remote host (possibly included with
EMC Legato Networker, IBM Informix Dynamic Server, or AIX) has an
access restriction bypass vulnerability.

The service will only process pmap_set and pmap_unset requests that
have a source address of '127.0.0.1'. Since communication is
performed via UDP, the source address can be spoofed, effectively
bypassing the verification process. This allows remote,
unauthenticated attackers to register and unregister arbitrary RPC
services.

A remote attacker could exploit this to cause a denial of service or
eavesdrop on process communications.

See also :

http://www.zerodayinitiative.com/advisories/ZDI-11-168/
http://www.nessus.org/u?d2273224
http://www.ibm.com/support/docview.wss?uid=swg1IC76179
http://www.ibm.com/support/docview.wss?uid=swg1IC76177
http://www.ibm.com/support/docview.wss?uid=swg1IC76178
http://aix.software.ibm.com/aix/efixes/security/rpc_advisory.asc

Solution :

Apply the relevant patch from the referenced documents for EMC Legato
Networker, IBM Informix Dynamic Server, or AIX. If a different
application is being used, contact the vendor for a fix.

Risk factor :

Medium / CVSS Base Score : 6.4
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P)
CVSS Temporal Score : 5.3
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: RPC

Nessus Plugin ID: 54586 ()

Bugtraq ID: 46044
47875

CVE ID: CVE-2011-0321
CVE-2011-1210