It was found that due to the way rpcbind uses libtirpc (libntirpc), a memory leak can occur when parsing specially crafted XDR messages. An attacker sending thousands of messages to rpcbind could cause its memory usage to grow without bound, eventually causing it to be terminated by the OOM killer.
Find out more about CVE-2017-8779 from the
MITRE CVE dictionary dictionary and
In the default system configuration, with the sysctl variable vm.overcommit_memory set to either 0 (the default) or 1, an attack would take a not-insignificant amount of time to exhaust the system's memory. If vm.overcommit_memory is set to a value of 2, the time required to exhaust system memory is sufficiently reduced. It was further noticed that, a 32-bit system would have its memory exhausted faster than a 64-bit system.
rpcbind should be protected by iptables so that only trusted hosts that require access can reach it (eg, nfs clients). Applying per-IP rate limits in iptables will also significantly limit the impact of this attack. The default iptables rules in the system-config-firewall or firewalld package deny all remote access to rpcbind.
If you elect to run your system with overcommit turned off, daemons should have memory limits enforced by the init system to ensure stability. With systemd, use directives such as LimitAS in unit files. With upstart, place ulimit commands in /etc/sysconfig/$daemon.