Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 5 May 2017 11:52:49 +0200
From: Florian Weimer <>
Subject: Re: rpcbomb: remote rpcbind denial-of-service

On 05/05/2017 11:22 AM, Marcus Meissner wrote:
> On Wed, May 03, 2017 at 05:55:20PM -0700, Seth Arnold wrote:
>> On Wed, May 03, 2017 at 08:55:23PM +0200, Guido Vranken wrote:
>>> This vulnerability allows an attacker to allocate any amount of bytes
>>> (up to 4 gigabytes per attack) on a remote rpcbind host, and the
>>> memory is never freed unless the process crashes or the administrator
>>> halts or restarts the rpcbind service.
>>> [...]
>>> An extensive write-up can be found here:
>>> Exploit + patches:
>> Hello Guido, nice find. Have CVE numbers been requested for this issue
>> yet? Have you investigated if ntirpc is affected too? Much of the code
>> looks similar:
> We also saw glibc affected.
> That said, your reproducer allocates virtual memory, and on systems with overcommit
> there is only neglible impact on overall memory pressure.
> The rpc service will however likely crash at some point though when there is no virtual
> address space left for it.

Thanks, I filed it upstream as well:

Looks like both xdr_bytes and xdr_string have a similar bug.

I'd appreciate some guidance on reusing or not reusing CVE IDs here.


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ