(CentOS Issues Fix) Rpcbind Memory Leak in rpcb_service_4() Lets Remote Users Consume Excessive Memory Resources - SecurityTracker

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Category: Application (Generic) > Rpcbind

Vendors: libtirpc.sourceforge.net

(CentOS Issues Fix) Rpcbind Memory Leak in rpcb_service_4() Lets Remote Users Consume Excessive Memory Resources

SecurityTracker Alert ID: 1038549

SecurityTracker URL: http://securitytracker.com/id/1038549

CVE Reference: CVE-2017-8779 (Links to External Site)

Date: May 24 2017

Impact: Denial of service via network

Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes

Description: A vulnerability was reported in Rpcbind. A remote user can consume excessive memory on the target system.

A remote user can send a large number of specially crafted XDR messages to trigger a memory leak in rpcb_service_4() to consume excessive memory on the target system.

The vulnerability resides in the libntirpc component.

The original advisory and demonstration exploit is available at:

https://guidovranken.wordpress.com/2017/05/03/rpcbomb-remote-rpcbind-denial-of-service-patches/

Guido Vranken reported this vulnerability.

Impact: A remote user can consume excessive memory resources on the target system.

Solution: CentOS has issued a fix.

i386:
9c11e7bbce5dab16b850853f4326f33f964dbfbb37f74b73b8db6f9f0f7d5f63 rpcbind-0.2.0-13.el6_9.i686.rpm

x86_64:
6d58fc80fd6222919987dae28bb21027ec7847004e8ec8981b0fa92861d090a2 rpcbind-0.2.0-13.el6_9.x86_64.rpm

Source:
b0176907e5c14eb295702cd39ada3f60cdbf05010508420a68696bfd206d6489 rpcbind-0.2.0-13.el6_9.src.rpm

Cause: Resource error

Underlying OS: Linux (CentOS)

Underlying OS Comments: 6

Message History: This archive entry is a follow-up to the message listed below.

Rpcbind Memory Leak in rpcb_service_4() Lets Remote Users Consume Excessive Memory Resources

Source Message Contents

Subject: [CentOS-announce] CESA-2017:1267 Important CentOS 6 rpcbind Security Update


CentOS Errata and Security Advisory 2017:1267 Important

Upstream details at : https://rhn.redhat.com/errata/RHSA-2017-1267.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

i386:
9c11e7bbce5dab16b850853f4326f33f964dbfbb37f74b73b8db6f9f0f7d5f63  rpcbind-0.2.0-13.el6_9.i686.rpm

x86_64:
6d58fc80fd6222919987dae28bb21027ec7847004e8ec8981b0fa92861d090a2  rpcbind-0.2.0-13.el6_9.x86_64.rpm

Source:
b0176907e5c14eb295702cd39ada3f60cdbf05010508420a68696bfd206d6489  rpcbind-0.2.0-13.el6_9.src.rpm



-- 
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
This web site uses cookies for web analytics. Learn More
Copyright 2021, SecurityGlobal.net LLC