Port 111 rpcbind Vulnerability

On November 2, 2015, the Information Security Office (ISO) asked the IT community to configure systems so that their portmappers (also known as rpcbind) weren't exposed to the public Internet, or required authentication to access. Here is the ISO's description of the portmapper, its concerns with portmapper; and its plan of action dealing with systems with portmappers exposed to the public Internet:

"Portmapper is an RPC service, which always listens on tcp and udp 111, and is used to map other RPC services (such as nfs, nlockmgr, quotad, mountd, etc.) to their corresponding port number on the server. When a remote host makes an RPC call to that server, it first consults with portmap to determine where the RPC server is listening.
"Querying portmapper is a small request (~82 bytes via UDP) which generates a large response (7x to 28x amplification), which makes it a good candidate for DDoS attacks--especially considering its prevalence among virtually all modern Unix systems.
"If a firewall is not already in use, the easiest way to prevent undesired public access to this service is to whitelist hosts which require communication with portmapper on your server (e.g., NFS clients) to the hosts.allow file, and to deny ALL: ALL in your hosts.deny file for the portmap service. More information on configuring these files can be found in this documentation: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-TCP_Wrappers_and_xinetd-TCP_Wrappers_Configuration_Files.html. You can test your configuration by running rpcinfo -p -T udp 1.2.3.4 from an unauthorized system. Note that there is no specific Selfscan vulnerability that will identify that portmap is running, so if your asset is a *nix system/embedded device it's probably safe to assume that it is.
"If the system is an embedded device or printer or doesn’t otherwise support TCP wrappers, it should be relocated to private address space. Systems on private address space are out of scope.
"In two weeks, the Information Security Office will begin notifying and scheduling quarantines for a month in advance. If you have any questions or concerns in the meantime, please contact security@utexas.edu. Thanks for your vigilance."

On Monday, November 16, 2015, the ISO began issuing pro-active quarantines to go into effect December 16, 2015 on systems with portmappers exposed to the public Internet. These systems include printers and Windows machines. Owners and administrators are strongly encouraged to move printers to campus-only printer vlans, and to configure firewalls or tcp wrappers for systems that must stay on publicly-accessible so that the portmappers aren't exposed.

Written by CNS OIT staff
Questions or comments? The best and easiest way to contact us is via the CNS Help Desk form.