[Bug 1925280] Re: rpcbind still vulnerable with CVE-2017-8779
Marc Deslauriers
1925280 at bugs.launchpad.net
Wed Jun 9 12:52:11 UTC 2021
Thanks for reporting the issue!
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to rpcbind in Ubuntu.
https://bugs.launchpad.net/bugs/1925280
Title:
rpcbind still vulnerable with CVE-2017-8779
Status in rpcbind package in Ubuntu:
Fix Released
Status in rpcbind source package in Bionic:
Fix Released
Bug description:
The site (https://ubuntu.com/security/CVE-2017-8779), indicates "Not Vulnerable" regarding environment
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable (0.2.3-0.6)
I'm using an NVIDIA Jetson AGX containing rpcbind on the environment.
$ apt list | grep rpcbind
rpcbind/bionic-updates,now 0.2.3-0.6ubuntu0.18.04.1 arm64 [installed]
$ cat /etc/os-release
NAME="Ubuntu"
VERSION="18.04.5 LTS (Bionic Beaver)"
ID=ubuntu
When I tried 'rpcbomb' attack with using Metasploit then found it was successfully done.
msf6 > use auxiliary/dos/rpc/rpcbomb
msf6 auxiliary(dos/rpc/rpcbomb) > set RHOSTS <IPaddress>
msf6 auxiliary(dos/rpc/rpcbomb) > run
In other words rpcbind was caused memory consumptions, which led to 43GB+ memory usage in the end.
I don't know if this is a bug or some degradation, but could be a vulnerability causing a DOS attack, so let me report it.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rpcbind/+bug/1925280/+subscriptions
More information about the foundations-bugs
mailing list