Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
GEN:SID | 1:590 |
Message | RPC portmap ypserv request UDP |
Summary | This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) ypserv is listening. |
Impact | Information disclosure. This request is used to discover which port ypserv is using. Attackers can also learn what versions of the ypserv protocol are accepted by ypserv. |
Detailed Information | The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as ypserv run. The ypserv RPC service looks up information in the local Network Information Service (NIS) maps. The ypserv program provides the server function for Yellow Pages (YP) by providing clients information from NIS maps. Multiple vulnerabilities are associated with the ypserv RPC program. |
Affected Systems | All hosts running the UNIX portmapper. |
Attack Scenarios | An attacker can query the portmapper to discover the port where ypserv runs. This may be a precursor to accessing ypserv. |
Ease of Attack | Easy. |
Corrective Action | Limit remote access to RPC services. Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. Disable unneeded RPC services. |
Additional References | Bugtraq http://www.securityfocus.com/bid/6016 http://www.securityfocus.com/bid/5914 CVE http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1232 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1042 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1043 Arachnids: http://www.whitehats.com/info/IDS12 |
Rule References | arachnids: 12 bugtraq: 5914 bugtraq: 6016 cve: 2000-1042 cve: 2000-1043 cve: 2002-1232 |
--
DID:515970
--
http://www.aanval.com/