Hello,
I was trying to find information about below rpcbind issue and how can I fix it so that, it wont happen again.
Below is the one of the vulnerability from my security team,
RPC
service name: portmapper
service protocal: udp
Portmapper found at: 327xx
service port: 327xx
Vulnerability ID: rpc-portmapper-0001
vulnerability title: Rpcbind Listening on a Non-Standard Port
Vulnerability Description:
The rpcbind program converts RPC program numbers into universal addresses.
When a client makes an RPC call to a given program number, it first connects to rpcbind on the target system to determine the address where the RPC request should be sent. Rpcbind has been detected listening on a non-standard port (above 32770) instead of the standard TCP / UDP port 111.
This configuration flaw has been confirmed on some operating systems such as Solaris 2.x. The exact high port number rpcbind listens on is dependent on the OS release and architecture. Thus, packet filtering devices that are configured to block access to rpcbind / portmapper, may be subverted by sending UDP requests to rpcbind listening above port 32770. This vulnerability may allow an unauthorized user to obtain remote RPC information from a remote system even if port 111 is being blocked.
Solution:
========
Fix Solaris rpcbind filter evasion
Download and apply the patch from: http://ftp.porcupine.org/pub/security/
For Solaris, the newest version of Weitse Venema's Rpcbind replacement can be found at Wietse Venema's web site (http://ftp.porcupine.org/pub/security/)
( http://ftp.porcupine.org/pub/security/ ) .
Patches are available to all Sun customers at the SunSolve web site (http://sunsolve.sun.com) ( http://sunsolve.sun.com ) .
Other than these patches, firewall best practices and "default deny" rules can help protect against attacks targeting rpcbind.
This is what I can see from lpar
[root@testlpar]/tmp>lsof -i :111 | grep LISTEN
portmap 7995500 root 3u IPv6 0xf1000e0000045455b 0t0 TCP *:sunrpc (LISTEN)
[root@testlpar]/tmp>lsof -i :327xx | grep LISTEN
user1@testlpar]/home/user1>rpcinfo -p
program vers proto port service
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
From above information,we can see that portmapper is listening on port "111" not non-standard port "327xx".
oslevel is "7100-03-01-1341"
I'm not sure how did they found the above vulnerability in scanning. Can you please help me understand the cause of the issue and how can we avoid this in future.
Thanks for your time.