A CVE has been assigned for a remote DoS issue reported upstream to rpcbind: http://openwall.com/lists/oss-security/2015/09/17/6 The upstream mailing list post linked in the message above contains a suggested patch, which upstream hasn't taken any action on yet. Upstream git is here: http://git.linux-nfs.org/?p=steved/rpcbind.git;a=summary Mageia 5 is also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO
Potentially more correct suggested patch here: http://openwall.com/lists/oss-security/2015/09/18/7 We'll see what upstream thinks.
Debian-LTS has issued an advisory for this on September 20: http://lwn.net/Alerts/657976/ Upstream doesn't have a commit to fix this yet.
URL: (none) => http://lwn.net/Vulnerabilities/657992/
Debian has issued an advisory for this on September 23: https://www.debian.org/security/2015/dsa-3366 They used this patch from SuSE: http://openwall.com/lists/oss-security/2015/09/18/7 Upstream still hasn't committed anything. Patched packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated rpcbind package fixes security vulnerability: A remotely triggerable use-after-free vulnerability was found in rpcbind, a server that converts RPC program numbers into universal addresses. A remote attacker can take advantage of this flaw to mount a denial of service (rpcbind crash) (CVE-2015-7236). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7236 https://www.debian.org/security/2015/dsa-3366 ======================== Updated packages in core/updates_testing: ======================== rpcbind-0.2.2-1.1.mga5 from rpcbind-0.2.2-1.1.mga5.src.rpm
Version: Cauldron => 5Assignee: bugsquad => qa-bugsWhiteboard: MGA5TOO => (none)
I don't see an obvious PoC for crashing rpcbind. If you have the rpcbind.service enabled and running, you should be able to query it for available RPC services with the command "rpcinfo -p" (run locally) or "rpcinfo -p {IPAddress}" from a remote machine, replacing {IPAddress} with the machine running rpcbind's IP address (this assumes port 111 is not blocked by the firewall). This worked fine for me on Mageia 5 i586. Output looks like: program vers proto port service 100000 4 tcp 111 portmapper 100000 3 tcp 111 portmapper 100000 2 tcp 111 portmapper 100000 4 udp 111 portmapper 100000 3 udp 111 portmapper 100000 2 udp 111 portmapper 100024 1 udp 37811 status 100024 1 tcp 36062 status
Whiteboard: (none) => has_procedure MGA5-32-OK
mga5 x86_64 Installed package : rpcbind-0.2.2-1.1.mga5.x86_64.rpm systemctl restart rpcbind.service systemctl restart rpcbind.socket rpcinfo -p output Ok. Update OK.
CC: (none) => yann.cantinWhiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OK
Well done Yann! Validating. Advisory uploaded. Please push to 5 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure advisory MGA5-32-OK MGA5-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0383.html
Status: NEW => RESOLVEDResolution: (none) => FIXED