Table of Contents
In the default system configuration, with the sysctl variable vm.overcommit_memory set to either 0 (the default) or 1, an attack would take a not-insignificant amount of time to exhaust the system's memory. If vm.overcommit_memory is set to a value of 2, the time required to exhaust system memory is sufficiently reduced. It was further noticed that, a 32-bit system would have its memory exhausted faster than a 64-bit system.
CVSS v3 metrics
|CVSS3 Base Score||7.5|
|CVSS3 Base Metrics||CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H|
Red Hat Security Errata
|Red Hat Gluster Storage NFS 3.2 on RHEL-7 (libntirpc)||RHSA-2017:1395||2017-06-06|
|Red Hat Gluster Storage NFS 3.2 on RHEL-6 (libntirpc)||RHSA-2017:1395||2017-06-06|
|Red Hat Enterprise Linux 7 (rpcbind)||RHSA-2017:1262||2017-05-22|
|Red Hat Enterprise Linux 7 (libtirpc)||RHSA-2017:1263||2017-05-22|
|Red Hat Enterprise Linux 6 (rpcbind)||RHSA-2017:1267||2017-05-23|
|Red Hat Enterprise Linux 6 (libtirpc)||RHSA-2017:1268||2017-05-23|
|Red Hat Ceph Storage Tools 2 (libntirpc)||RHBA-2017:1497||2017-06-19|
rpcbind should be protected by iptables so that only trusted hosts that require access can reach it (eg, nfs clients). Applying per-IP rate limits in iptables will also significantly limit the impact of this attack. The default iptables rules in the system-config-firewall or firewalld package deny all remote access to rpcbind.
If you elect to run your system with overcommit turned off, daemons should have memory limits enforced by the init system to ensure stability. With systemd, use directives such as LimitAS in unit files. With upstart, place ulimit commands in /etc/sysconfig/$daemon.