Multiple Vendor RPC portmapper Access Restriction Bypass

Medium Nessus Plugin ID 54586


The RPC portmapper on the remote host has an access restriction bypass vulnerability.


The RPC portmapper running on the remote host (possibly included with EMC Legato Networker, IBM Informix Dynamic Server, or AIX) has an access restriction bypass vulnerability.

The service will only process pmap_set and pmap_unset requests that have a source address of ''. Since communication is performed via UDP, the source address can be spoofed, effectively bypassing the verification process. This allows remote, unauthenticated attackers to register and unregister arbitrary RPC services.

A remote attacker could exploit this to cause a denial of service or eavesdrop on process communications.


Apply the relevant patch from the referenced documents for EMC Legato Networker, IBM Informix Dynamic Server, or AIX. If a different application is being used, contact the vendor for a fix.

See Also

Plugin Details

Severity: Medium

ID: 54586

File Name: rpc_pmap_set_udp_spoofing.nasl

Version: 1.5

Type: remote

Family: RPC

Published: 2011/05/19

Modified: 2014/02/18

Dependencies: 10223, 11111

Risk Information

Risk Factor: Medium


Base Score: 6.4

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:ibm:informix, cpe:/a:emc:legato_networker

Required KB Items: Services/udp/rpc-portmapper

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2011/01/26

Vulnerability Publication Date: 2011/01/26

Reference Information

CVE: CVE-2011-0321, CVE-2011-1210

BID: 46044, 47875

OSVDB: 70686, 72701