CVE-2017-8779

Impact:
Important
Public Date:
2017-05-03
CWE:
CWE-400
Bugzilla:
1448124: CVE-2017-8779 rpcbind, libtirpc, libntirpc: Memory leak when failing to parse XDR strings or bytearrays
It was found that due to the way rpcbind uses libtirpc (libntirpc), a memory leak can occur when parsing specially crafted XDR messages. An attacker sending thousands of messages to rpcbind could cause its memory usage to grow without bound, eventually causing it to be terminated by the OOM killer.

Find out more about CVE-2017-8779 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

In the default system configuration, with the sysctl variable vm.overcommit_memory set to either 0 (the default) or 1, an attack would take a not-insignificant amount of time to exhaust the system's memory. If vm.overcommit_memory is set to a value of 2, the time required to exhaust system memory is sufficiently reduced. It was further noticed that, a 32-bit system would have its memory exhausted faster than a 64-bit system.

CVSS v3 metrics

CVSS3 Base Score 7.5
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity Impact None
Availability Impact High

Red Hat Security Errata

Platform Errata Release Date
Red Hat Gluster Storage NFS 3.2 on RHEL-7 (libntirpc) RHSA-2017:1395 2017-06-06
Red Hat Gluster Storage NFS 3.2 on RHEL-6 (libntirpc) RHSA-2017:1395 2017-06-06
Red Hat Enterprise Linux 7 (rpcbind) RHSA-2017:1262 2017-05-22
Red Hat Enterprise Linux 7 (libtirpc) RHSA-2017:1263 2017-05-22
Red Hat Enterprise Linux 6 (rpcbind) RHSA-2017:1267 2017-05-23
Red Hat Enterprise Linux 6 (libtirpc) RHSA-2017:1268 2017-05-23
Red Hat Ceph Storage Tools 2 (libntirpc) RHBA-2017:1497 2017-06-19

Mitigation

rpcbind should be protected by iptables so that only trusted hosts that require access can reach it (eg, nfs clients). Applying per-IP rate limits in iptables will also significantly limit the impact of this attack. The default iptables rules in the system-config-firewall or firewalld package deny all remote access to rpcbind. If you elect to run your system with overcommit turned off, daemons should have memory limits enforced by the init system to ensure stability. With systemd, use directives such as LimitAS in unit files. With upstart, place ulimit commands in /etc/sysconfig/$daemon.

External References

Last Modified
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.