Knowledge Search


×
 

Hidden RPC Services Found on NSM at TCP Port 704 and UDP Port 701

  [JSA10438] Show Article Properties


Legacy Advisory Id:
PSN-2010-05-759
Product Affected:
This is a "zero day" vulnerability, present in the initial releases of NSM software and later releases up to but not including the first fixed releases shown above.
Problem:
The portmapper/rpcbind process listens on port 111 and stores an updated list of registered RPC services running on the same server (for example, RPC name, version and port number of the service). It acts as a "plugboard" for clients wanting to connect to any RPC daemon on an arbitrary port, redirecting incoming service connections from the well-known port 111 to another port where the desired service is actually listening for connections. Some security policy compliance scanners report the detection of portmapper/rpcbind on the target system as a vulnerability because its presence simplifies the enumeration of RPC services running on that same system. This may be considered a "false positive" because even if portmapper/rpcbind is disabled, vulnerable RPC services can still be found and exploited with only slightly more effort.

If the portmapper/rpcbind is removed or firewalled, standard RPC client programs will not be able to obtain the portmapper list in the usual manner, but it is still possible for an attacker to identify RPC processes that may be listening on certain ports by employing a penetration-testing technique known as "direct RPC scanning". Potentially vulnerable RPC services may still be found and exploited.

This issue affects NSMXpress, NSM Appliance, and NSM3000 if running an affected release of NSM software. NSM Server does not include the vulnerable services in its software distribution. NSM Server installations may or may not be vulnerable depending on what versions of the affected services are present and available on the underlying platform as provided independently by the customer.

This issue is being tracked as PR 465295. While this PR is not viewable by customers, it can be used as a reference when discussing the issue with JTAC.
Solution:
To address this issue, portmapper/rpcbind has been disabled in the fixed releases listed below.

All software releases built on or after 2010-02-23 contain the fix for this specific issue. Those releases include NSMXpress release 5.145238, release 2010.1, and all subsequent releases. Upgrading NSMXpress, NSM Appliance, and NSM3000 to a fixed release will resolve the vulnerability.

Please note that the portmapper/rpcbind services are not distributed with the NSM Server software, but rather exist within the host operating system. This vulnerability, if present in the customer's underlying operating system, will not be removed by upgrading to an unaffected version of NSM Server software. The issue can be addressed by upgrading the underlying operating system on the hosting server, or if an upgrade is not possible, then workarounds should be considered and applied.

Workaround:

Disable the portmapper service:

The open ports are caused by the portmapper process. One viable workaround would be to disable portmapper and then restart the system as follows:
# chkconfig portmap off
# reboot
Implementation:
Customers are encouraged to upgrade affected systems to fixed versions of software. KB16765 - "In which releases are vulnerabilities fixed?" describes which releases are selected to receive fixes for vulnerabilities per Juniper Networks' "End of Engineering" and "End of Life" support policies.

If upgrading software is not likely to occur for some time, then a workaround should be employed. In all cases, customers should evaluate the risks and benefits of any given workaround to ensure that it is appropriate and practical in the customer's own production environment.

How to obtain fixed software:
NSM Maintenance Releases are available at http://support.juniper.net/ from the "Download Software" links.

If a Maintenance Release is not adequate and access to NSM patches is needed, open a customer support case. A JTAC engineer will review your request and respond, ensuring that you will be provided with the most appropriate Patch Release for your specific situation.
Related Links:
CVSS Score:
5.0
Severity Level:
Medium
Severity Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories".