Snort-alerts/RPC-portmap-mountd-request-UDP
RPC portmap mountd request UDP
Identification
| Id | 579 |
|---|---|
| Alert | RPC portmap mountd request UDP |
| Classification | rpc-portmap-decode |
Trigger
The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as mountd run. The mountd RPC service allows remote file system access through Network File System (NFS). A vulnerability exists in the code that logs NFS mount activity that can cause a buffer overflow, allowing the execution of arbitrary code with root privileges.
Affected systems
- Caldera OpenLinux Standard 1.2
- RedHat Linux 2.0, 2.1, 3.0.3, 4.0, 4.1, 4.2, 5.0, 5.1
Impact
Information disclosure. This request is used to discover which port mountd is using. Attackers can also learn what versions of the mountd protocol are accepted by mountd.
False positives
If a legitimate remote user is allowed to access mountd, this rule may trigger.
Scenario
An attacker can query the portmapper to discover the port where mountd runs. This may be a precursor to accessing mountd.
Example
Thank you for your comprehension.
Corrective actions
- Limit remote access to RPC services.
- Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines.
- Disable unneeded RPC services.