Vulnerability CVE-2017-8779: Information

Description

rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0.2-rc3, and NTIRPC through 1.4.3 do not consider the maximum RPC data size during memory allocation for XDR strings, which allows remote attackers to cause a denial of service (memory consumption with no subsequent free) via a crafted UDP packet to port 111, aka rpcbomb.

Severity: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2017-8779
Published: May 4, 2017
Modified: Oct. 3, 2019
Error type identifier: CWE-770

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
libtirpcsisyphus1.0.2-alt11.3.4-alt1ALT-PU-2017-1816-1185112Fixed
libtirpcp101.0.2-alt11.3.3-alt1ALT-PU-2017-1816-1185112Fixed
libtirpcp91.0.2-alt11.0.3-alt1ALT-PU-2017-1816-1185112Fixed
libtirpcc10f11.0.2-alt11.3.3-alt1ALT-PU-2017-1816-1185112Fixed
libtirpcc9f21.0.2-alt11.0.3-alt1ALT-PU-2017-1816-1185112Fixed
rpcbindsisyphus1.2.5-alt11.2.6-alt1.qa1ALT-PU-2018-2163-1211532Fixed
rpcbindp101.2.5-alt11.2.6-alt1.qa1ALT-PU-2018-2163-1211532Fixed
rpcbindp91.2.5-alt11.2.5-alt2ALT-PU-2018-2163-1211532Fixed
rpcbindc10f11.2.5-alt11.2.6-alt1.qa1ALT-PU-2018-2163-1211532Fixed
rpcbindc9f21.2.5-alt11.2.5-alt2ALT-PU-2018-2163-1211532Fixed
rpcbindc70.2.1-alt0.6.M70C.20.2.1-alt0.6.M70C.2ALT-PU-2017-2204-1188132Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://guidovranken.wordpress.com/2017/05/03/rpcbomb-remote-rpcbind-denial-of-service-patches/
  • Third Party Advisory
https://github.com/guidovranken/rpcbomb/
  • Issue Tracking
  • Patch
  • Third Party Advisory
http://openwall.com/lists/oss-security/2017/05/04/1
  • Mailing List
  • Patch
  • Third Party Advisory
http://openwall.com/lists/oss-security/2017/05/03/12
  • Mailing List
  • Patch
  • Third Party Advisory
98325
  • Third Party Advisory
  • VDB Entry
https://github.com/drbothen/GO-RPCBOMB
  • Issue Tracking
  • Patch
  • Third Party Advisory
GLSA-201706-07
    1038532
      41974
        DSA-3845
          RHSA-2017:1395
            RHSA-2017:1268
              RHSA-2017:1267
                RHSA-2017:1263
                  RHSA-2017:1262
                    RHBA-2017:1497
                      https://security.netapp.com/advisory/ntap-20180109-0001/
                        USN-3759-2
                          USN-3759-1

                              1. Configuration 1

                                cpe:2.3:a:rpcbind_project:rpcbind:*:*:*:*:*:*:*:*
                                End including
                                0.2.4

                                Configuration 2

                                cpe:2.3:a:libtirpc_project:libtirpc:*:*:*:*:*:*:*:*
                                End including
                                1.0.1

                                Configuration 3

                                cpe:2.3:a:ntirpc_project:ntirpc:*:*:*:*:*:*:*:*
                                End including
                                1.4.3
                            VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
                            Version: v24.4.2
                            Back to top