COMMAND

    rpcbind

SYSTEMS AFFECTED

    SunOS versions 5.5.1, 5.5.1_x86,  5.5, 5.5_x86, 5.4, 5.4_x86,  and
    5.3.

PROBLEM

    The rpcbind program is a server that converts RPC program  numbers
    into  universal  addresses.  When  an  RPC  service is started, it
    tells rpcbind the  address at which  it is listening,  and the RPC
    program numbers it is prepared  to serve. When a client  wishes to
    make an  RPC call  to a  given program  number, it  first contacts
    rpcbind on the server machine  to determine the address where  RPC
    requests should be sent.

    On Solaris 2.x operating systems, rpcbind listens not only on  TCP
    port  111,  and  UDP  port  111,  but  also on a port greater than
    32770.  This  results in a  large number of  packet filters, which
    intend to block  access to rpcbind/portmapper,  being ineffective.
    Instead of sending requests to  TCP or UDP port 111,  the attacker
    simply  sends  them  to  a  UDP  port  greater than 32770 on which
    rpcbind is listening.

    This  vulnerability  allows  an  attacker  to  obtain  remote  RPC
    program information even if TCP or UDP port 111 is being filtered.
    It can also aid an  attacker to gain unauthorized access  to hosts
    running vulnerable versions of the software.

    Note that rpcbind vulnerability is bigger than this.

SOLUTION

    The standard  rpcbind shipped  with Solaris  2.x systems  displays
    this behaviour.  Older  SunOS implementations are NOT  vulnerable.
    Wietse  Venema's  rpcbind  replacement  will  service   portmapper
    requests  sent  to  a  high-numbered  udp  port.   However  access
    control imposed by the  rpcbind replacement will behave  normally,
    even  for   queries  sent   to  that   high-numbered  port.   This
    vulnerability  is  fixed   in  the  upcoming  release  of Solaris.
    Patches are:

        SunOS 5.5.1             104331-02      (Solaris 2.5.1)
        SunOS 5.5.1_x86         104332-02      (Solaris 2.5.1 x86)
        SunOS 5.5               104357-02      (Solaris 2.5)
        SunOS 5.5_x86           104358-02      (Solaris 2.5 x86)
        SunOS 5.4               102070-03      (Solaris 2.4)
        SunOS 5.4_x86           102071-03      (Solaris 2.4 x86)
        SunOS 5.3               102034-02      (Solaris 2.3)

    Patches listed are available to  all Sun customers via World  Wide
    Web at:

        ftp://sunsolve1.sun.com/pub/patches/patches.html

    Wietse had updated his rpcbind source so that it rejects  requests
    from remote  clients to  UDP or  TCP ports  other than  111. It is
    ready for downloading, see:

        ftp://ftp.win.tue.nl/pub/security/index.html

    Note that there is at least  one report tha states that patch  for
    SunOS 5.5.1  didn't work  as it  should.   It seems  that this  is
    bigger than described here.