Bug 1037559 - (CVE-2017-8779) VUL-0: CVE-2017-8779: rpcbind,libtirpc: rpcbomb: remote rpcbind denial-of-service
(CVE-2017-8779)
VUL-0: CVE-2017-8779: rpcbind,libtirpc: rpcbomb: remote rpcbind denial-of-ser...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P1 - Urgent : Major
: ---
Assigned To: Security Team bot
Security Team bot
maint:running:63636:important
:
Depends on:
Blocks: CVE-2017-8804
  Show dependency treegraph
 
Reported: 2017-05-04 09:27 UTC by Marcus Meissner
Modified: 2019-02-01 11:15 UTC (History)
7 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
rpcbomb.rb (2.67 KB, text/plain)
2017-05-04 09:33 UTC, Marcus Meissner
Details
rpcbind_patch.txt (646 bytes, patch)
2017-05-04 09:34 UTC, Marcus Meissner
Details | Diff
libtirpc_patch.txt (6.87 KB, patch)
2017-05-04 09:34 UTC, Marcus Meissner
Details | Diff
glibc-2.11.3-xdr_bytes.patch (1.15 KB, patch)
2017-05-04 14:57 UTC, Olaf Kirch
Details | Diff
Always call svc_freeargs, even if svc_getargs failed (818 bytes, patch)
2017-05-17 09:25 UTC, Andreas Schwab
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2017-05-04 09:27:40 UTC
via oss-sec

From: Guido Vranken <guidovranken@gmail.com>
Subject: [oss-security] rpcbomb: remote rpcbind denial-of-service

This vulnerability allows an attacker to allocate any amount of bytes
(up to 4 gigabytes per attack) on a remote rpcbind host, and the
memory is never freed unless the process crashes or the administrator
halts or restarts the rpcbind service.

Attacking a system is trivial; a single attack consists of sending a
specially crafted payload of around 60 bytes through a UDP socket.

This can slow down the system’s operations significantly or prevent
other services (such as a web server) from spawning processes
entirely.

An extensive write-up can be found here:
https://guidovranken.wordpress.com/2017/05/03/rpcbomb-remote-rpcbind-denial-of-service-patches/

Exploit + patches: https://github.com/guidovranken/rpcbomb/
Comment 1 Marcus Meissner 2017-05-04 09:33:05 UTC
Created attachment 723770 [details]
rpcbomb.rb

QA REPRODUCER:

ps auxw|grep rpcbind

  note down virtual memory used

ruby rpcbomb.rb localhost 9999999999

ps auxw|grep rpcbind

   note down virtgual memory used.

BEFORE:
rpc        477  0.0  0.0 11243712 1516 ?       Ss   Mär02   0:06 /sbin/rpcbind -w -f
... jumps to ... 
rpc        477  0.0  0.0 13997752 1516 ?       Ss   Mär02   0:06 /sbin/rpcbind -w -f



The amount should not be much higher than before
Comment 2 Marcus Meissner 2017-05-04 09:34:03 UTC
Created attachment 723772 [details]
rpcbind_patch.txt

rpcbind_patch.txt
Comment 3 Marcus Meissner 2017-05-04 09:34:32 UTC
Created attachment 723773 [details]
libtirpc_patch.txt

libtirpc_patch.txt
Comment 4 Olaf Kirch 2017-05-04 09:52:39 UTC
The patches look sane.

As far as I can tell, the central portion of the patch is in xdr_bytes(). Maybe it would make sense to verify that the code in glibc doesn't suffer from the same problem (which would then affect older SLES releases that didn't have libtirpc yet).
Comment 5 Marcus Meissner 2017-05-04 14:20:05 UTC
I am only waiting for a CVE, but you could already submit fixed packages.
Comment 6 Marcus Meissner 2017-05-04 14:28:22 UTC
as for glibc, the RPC code looks differently. I do not spot any of above patch patterns, so it is very hard to say. :(
Comment 7 Olaf Kirch 2017-05-04 14:57:53 UTC
Created attachment 723848 [details]
glibc-2.11.3-xdr_bytes.patch

glibc in SLE11 seems to have the same issue; here's a tentative patch.

I do not think this is a huge issue, btw. We're indeed leaking virtual memory, but we're never touching it AFAICT, so you're probably not leaking more than 2 pages worth of actual memory per RPC call.
Comment 8 Luiz Angelo Daros de Luca 2017-05-04 21:33:55 UTC
(In reply to Marcus Meissner from comment #1)
> Created attachment 723770 [details]
> rpcbomb.rb
> 
> QA REPRODUCER:
> 
> ps auxw|grep rpcbind
> 
>   note down virtual memory used
> 
> ruby rpcbomb.rb localhost 9999999999
> 
> ps auxw|grep rpcbind
> 
>    note down virtgual memory used.
> 
> BEFORE:
> rpc        477  0.0  0.0 11243712 1516 ?       Ss   Mär02   0:06
> /sbin/rpcbind -w -f
> ... jumps to ... 
> rpc        477  0.0  0.0 13997752 1516 ?       Ss   Mär02   0:06
> /sbin/rpcbind -w -f
> 
> 
> 
> The amount should not be much higher than before

Is this rpcbomb intentionally innocuous? At least on my tests, it does allocate virtual memory but the system memory is kept free. After 571GB of virtual memory for rpcbind, my system (xen dom0) with 1GB of RAM was still fine.

sles12sp1:~ # ps auxw|grep rpcbind
rpc       1783  0.0  0.5 571581660 5600 ?      Ss   18:03   0:00 /sbin/rpcbind -w -f
sles12sp1:~ # free
             total       used       free     shared    buffers     cached
Mem:       1062096     511560     550536       8044        464     370412
-/+ buffers/cache:     140684     921412
Swap:      1048572          0    1048572
Comment 9 Marcus Meissner 2017-05-05 06:48:34 UTC
Yeah, it seems to be only virtual memory. The exploit only delivers a large size causing this allocation, but not the content.

to fill the content it would need bigger data to be sent.
Comment 15 Marcus Meissner 2017-05-08 09:42:44 UTC
glibc is tracked in bug 1037930 seperately.
Comment 17 Bernhard Wiedemann 2017-05-08 16:01:00 UTC
This is an autogenerated message for OBS integration:
This bug (1037559) was mentioned in
https://build.opensuse.org/request/show/493468 42.2 / rpcbind
https://build.opensuse.org/request/show/493471 42.2 / libtirpc
Comment 19 Thomas Blume 2017-05-11 07:44:25 UTC
patches submitted, closing
Comment 24 Thomas Blume 2017-05-11 09:13:22 UTC
reassigning to security-team
Comment 27 Swamp Workflow Management 2017-05-16 16:12:07 UTC
SUSE-SU-2017:1306-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1037559
CVE References: CVE-2017-8779
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    libtirpc-0.2.3-13.3.1
SUSE Linux Enterprise Server 12-SP1 (src):    libtirpc-0.2.3-13.3.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    libtirpc-0.2.3-13.3.1
Comment 28 Swamp Workflow Management 2017-05-16 19:13:49 UTC
SUSE-SU-2017:1314-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1037559
CVE References: CVE-2017-8779
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    libtirpc-1.0.1-16.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    libtirpc-1.0.1-16.1
SUSE Linux Enterprise Server 12-SP2 (src):    libtirpc-1.0.1-16.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    libtirpc-1.0.1-16.1
Comment 29 Andreas Schwab 2017-05-17 09:25:39 UTC
Created attachment 725355 [details]
Always call svc_freeargs, even if svc_getargs failed
Comment 30 Swamp Workflow Management 2017-05-18 16:09:59 UTC
SUSE-SU-2017:1328-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1037559
CVE References: CVE-2017-8779
Sources used:
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    rpcbind-0.2.3-23.1
SUSE Linux Enterprise Server 12-SP2 (src):    rpcbind-0.2.3-23.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    rpcbind-0.2.3-23.1
Comment 31 Swamp Workflow Management 2017-05-18 16:24:24 UTC
SUSE-SU-2017:1336-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1037559
CVE References: CVE-2017-8779
Sources used:
SUSE Linux Enterprise Server 12-SP1 (src):    rpcbind-0.2.1_rc4-17.3.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    rpcbind-0.2.1_rc4-17.3.1
Comment 32 Marcus Meissner 2017-05-19 08:58:45 UTC
    I am using 100000 bytes and it continues to increase.


    ==32264== 500,005 bytes in 5 blocks are definitely lost in loss record 86 of 86
    ==32264==    at 0x4C27FFB: calloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==32264==    by 0x50592B9: xdr_string (xdr.c:700)
    ==32264==    by 0x5052805: xdr_rpcb (rpcb_prot.c:59)
    ==32264==    by 0x10D6A2: rpcb_service_4 (rpcb_svc_4.c:217)
    ==32264==    by 0x50532A8: svc_getreq_common (svc.c:681)
    ==32264==    by 0x505337B: svc_getreq_poll (svc.c:766)
    ==32264==    by 0x10E1EA: my_svc_run (rpcb_svc_com.c:1260)
    ==32264==    by 0x10CF1B: main (rpcbind.c:253)

    I think 9999999999 is too large as the maxsimum is (u_int) ~0, so 0xffff.ffff 
    and above is 0x2.540B.E3FF
Comment 33 Thomas Blume 2017-05-19 13:46:52 UTC
(In reply to Marcus Meissner from comment #32)
>     I am using 100000 bytes and it continues to increase.
> 
> 
>     ==32264== 500,005 bytes in 5 blocks are definitely lost in loss record
> 86 of 86
>     ==32264==    at 0x4C27FFB: calloc (in
> /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
>     ==32264==    by 0x50592B9: xdr_string (xdr.c:700)
>     ==32264==    by 0x5052805: xdr_rpcb (rpcb_prot.c:59)
>     ==32264==    by 0x10D6A2: rpcb_service_4 (rpcb_svc_4.c:217)
>     ==32264==    by 0x50532A8: svc_getreq_common (svc.c:681)
>     ==32264==    by 0x505337B: svc_getreq_poll (svc.c:766)
>     ==32264==    by 0x10E1EA: my_svc_run (rpcb_svc_com.c:1260)
>     ==32264==    by 0x10CF1B: main (rpcbind.c:253)
> 
>     I think 9999999999 is too large as the maxsimum is (u_int) ~0, so
> 0xffff.ffff 
>     and above is 0x2.540B.E3FF

Thanks, I could verify the bug and the fixes on SLES11 SP4 now.
Comment 34 Thomas Blume 2017-05-19 13:47:48 UTC
(In reply to Andreas Schwab from comment #29)
> Created attachment 725355 [details]
> Always call svc_freeargs, even if svc_getargs failed

Thanks Andreas, I have added your patch.
Comment 38 Swamp Workflow Management 2017-05-23 19:11:39 UTC
openSUSE-SU-2017:1381-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1037559
CVE References: CVE-2017-8779
Sources used:
openSUSE Leap 42.2 (src):    libtirpc-1.0.1-2.3.1
Comment 39 Swamp Workflow Management 2017-05-24 10:58:27 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2017-05-31.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63637
Comment 40 Swamp Workflow Management 2017-05-26 10:08:42 UTC
openSUSE-SU-2017:1412-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1037559
CVE References: CVE-2017-8779
Sources used:
openSUSE Leap 42.2 (src):    rpcbind-0.2.3-3.3.1
Comment 41 Swamp Workflow Management 2017-05-31 19:11:09 UTC
SUSE-SU-2017:1468-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1037559
CVE References: CVE-2017-8779
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    libtirpc-0.2.1-1.12.3
SUSE Linux Enterprise Server 11-SP4 (src):    libtirpc-0.2.1-1.12.3, rpcbind-0.1.6+git20080930-6.27.2
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    libtirpc-0.2.1-1.12.3, rpcbind-0.1.6+git20080930-6.27.2
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    libtirpc-0.2.1-1.12.3, rpcbind-0.1.6+git20080930-6.27.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    libtirpc-0.2.1-1.12.3, rpcbind-0.1.6+git20080930-6.27.2
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    libtirpc-0.2.1-1.12.3, rpcbind-0.1.6+git20080930-6.27.2
Comment 43 Bernhard Wiedemann 2017-08-19 10:00:26 UTC
This is an autogenerated message for OBS integration:
This bug (1037559) was mentioned in
https://build.opensuse.org/request/show/517662 Factory / rpcbind
Comment 44 Thomas Blume 2017-11-07 12:08:36 UTC
reassigning to security team in order to confirm the fix and to close the bug as appropriate.
Comment 45 Marcus Meissner 2017-11-08 15:54:58 UTC
released