cbcvebase.
CVE-2017-8779
published 2017-05-04

CVE-2017-8779: rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0.2-rc3, and NTIRPC through 1.4.3 do not consider the maximum RPC data size during memory…

PriorityP268high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EXPLOIT
EPSS
81.92%
99.6th percentile
rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0.2-rc3, and NTIRPC through 1.4.3 do not consider the maximum RPC data size during memory allocation for XDR strings, which allows remote attackers to cause a denial of service (memory consumption with no subsequent free) via a crafted UDP packet to port 111, aka rpcbomb.

Affected

22 ranges
VendorProductVersion rangeFixed in
debianlibtirpc< libtirpc 0.2.5-1.2 (bookworm)libtirpc 0.2.5-1.2 (bookworm)
debianntirpc< libtirpc 0.2.5-1.2 (bookworm)libtirpc 0.2.5-1.2 (bookworm)
debianrpcbind< libtirpc 0.2.5-1.2 (bookworm)libtirpc 0.2.5-1.2 (bookworm)
gnuglibc
libtirpc_projectlibtirpc<= 1.0.1
libtirpc_projectlibtirpc>= 0 < 0.2.5-1.20.2.5-1.2
libtirpc_projectlibtirpc>= 0 < 0.2.5-1.20.2.5-1.2
libtirpc_projectlibtirpc>= 0 < 0.2.5-1.20.2.5-1.2
libtirpc_projectlibtirpc>= 0 < 0.2.5-1.20.2.5-1.2
libtirpc_projectlibtirpc>= 0 < 0.2.2-5ubuntu2.10.2.2-5ubuntu2.1
libtirpc_projectlibtirpc>= 0 < 0.2.5-1ubuntu0.10.2.5-1ubuntu0.1
libtirpc_projectlibtirpc>= 0 < 0.2.5-1.2ubuntu0.10.2.5-1.2ubuntu0.1
ntirpc_projectntirpc<= 1.4.3
ntirpc_projectntirpc>= 0 < 1.4.4-11.4.4-1
ntirpc_projectntirpc>= 0 < 1.4.4-11.4.4-1
ntirpc_projectntirpc>= 0 < 1.4.4-11.4.4-1
ntirpc_projectntirpc>= 0 < 1.4.4-11.4.4-1
rpcbind_projectrpcbind<= 0.2.4
rpcbind_projectrpcbind>= 0 < 0.2.3-0.60.2.3-0.6
rpcbind_projectrpcbind>= 0 < 0.2.3-0.60.2.3-0.6
rpcbind_projectrpcbind>= 0 < 0.2.3-0.60.2.3-0.6
rpcbind_projectrpcbind>= 0 < 0.2.3-0.60.2.3-0.6

Detection & IOCsextracted from sources · hover to see the quote

port111/UDP
urlhttps://raw.githubusercontent.com/guidovranken/rpcbomb/fe53048af2d4fb78c911e71a30f21afcffbbf5e1/rpcbomb.rb
commandpkt = [0].pack('N') # xid pkt << [0].pack('N') # message type CALL pkt << [2].pack('N') # RPC version 2 pkt << [100000].pack('N') # Program pkt << [4].pack('N') # Program version pkt << [9].pack('N') # Procedure pkt << [0].pack('N') # Credentials AUTH_NULL pkt << [0].pack('N') # Credentials length 0 pkt << [0].pack('N') # Credentials AUTH_NULL pkt << [0].pack('N') # Credentials length 0 pkt << [0].pack('N') # Program: 0 pkt << [0].pack('N') # Ver pkt << [4].pack('N') # Proc pkt << [4].pack('N') # Argument length pkt << [numBytes].pack('N') # Payload
  • Monitor for large UDP packets sent to port 111 (rpcbind/portmapper); the exploit sends a crafted RPC CALL packet with an oversized XDR string length field (numBytes) as the payload to trigger unbounded memory allocation.
  • Inspect RPC CALL packets (message type 0x00000000) targeting program 100000 (portmapper), version 4, procedure 9 over UDP/111; a large 4-byte argument in the payload field is the trigger for excessive memory allocation.
  • Alert on rpcbind process exhibiting rapid virtual memory growth or OOM conditions following receipt of UDP traffic on port 111, consistent with never-freed XDR string allocations.
  • The Metasploit auxiliary module path auxiliary/dos/rpc/rpcbomb can be used to test exposure; detect its use in penetration testing or adversarial activity.
  • ·Systems using memory overcommit (the default on many Linux distributions) are especially vulnerable because the OS will grant the allocation without immediately consuming physical memory, making the DoS harder to detect until OOM is triggered.
  • ·All three affected RPC libraries (rpcbind ≤0.2.4, LIBTIRPC ≤1.0.1 and 1.0.2-rc through 1.0.2-rc3, NTIRPC ≤1.4.3) share the same root cause — none enforce a maximum RPC data size during XDR string memory allocation — so detection and patching must cover all three.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:N/I:N/A:C
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu5.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.