(CentOS Issues Fix) Rpcbind Memory Leak in rpcb_service_4() Lets Remote Users Consume Excessive Memory Resources
|
SecurityTracker Alert ID: 1038549 |
SecurityTracker URL: http://securitytracker.com/id/1038549
|
CVE Reference:
CVE-2017-8779
(Links to External Site)
|
Date: May 24 2017
|
Impact:
Denial of service via network
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
|
Description:
A vulnerability was reported in Rpcbind. A remote user can consume excessive memory on the target system.
A remote user can send a large number of specially crafted XDR messages to trigger a memory leak in rpcb_service_4() to consume excessive memory on the target system.
The vulnerability resides in the libntirpc component.
The original advisory and demonstration exploit is available at:
https://guidovranken.wordpress.com/2017/05/03/rpcbomb-remote-rpcbind-denial-of-service-patches/
Guido Vranken reported this vulnerability.
|
Impact:
A remote user can consume excessive memory resources on the target system.
|
Solution:
CentOS has issued a fix.
i386:
9c11e7bbce5dab16b850853f4326f33f964dbfbb37f74b73b8db6f9f0f7d5f63 rpcbind-0.2.0-13.el6_9.i686.rpm
x86_64:
6d58fc80fd6222919987dae28bb21027ec7847004e8ec8981b0fa92861d090a2 rpcbind-0.2.0-13.el6_9.x86_64.rpm
Source:
b0176907e5c14eb295702cd39ada3f60cdbf05010508420a68696bfd206d6489 rpcbind-0.2.0-13.el6_9.src.rpm
|
Cause:
Resource error
|
Underlying OS: Linux (CentOS)
|
Underlying OS Comments: 6
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Subject: [CentOS-announce] CESA-2017:1267 Important CentOS 6 rpcbind Security Update
|
CentOS Errata and Security Advisory 2017:1267 Important
Upstream details at : https://rhn.redhat.com/errata/RHSA-2017-1267.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
9c11e7bbce5dab16b850853f4326f33f964dbfbb37f74b73b8db6f9f0f7d5f63 rpcbind-0.2.0-13.el6_9.i686.rpm
x86_64:
6d58fc80fd6222919987dae28bb21027ec7847004e8ec8981b0fa92861d090a2 rpcbind-0.2.0-13.el6_9.x86_64.rpm
Source:
b0176907e5c14eb295702cd39ada3f60cdbf05010508420a68696bfd206d6489 rpcbind-0.2.0-13.el6_9.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
|
|