Vulnerabilities > CVE-2015-7236
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
Use-after-free vulnerability in xprt_set_caller in rpcb_svc_com.c in rpcbind 0.2.1 and earlier allows remote attackers to cause a denial of service (daemon crash) via crafted packets, involving a PMAP_CALLIT code.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 6 | |
OS | 3 | |
OS | 1 | |
OS | 2 |
Nessus
NASL family Solaris Local Security Checks NASL id SOLARIS_APR2016_SRU11_3_4_5_0.NASL description This Solaris system is missing necessary patches to address a critical security update : - Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Utilities). Supported versions that are affected are 10 and 11.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via RPC to compromise Solaris. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Solaris. (CVE-2015-7236) last seen 2020-06-01 modified 2020-06-02 plugin id 90619 published 2016-04-21 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90619 title Oracle Solaris Critical Patch Update : apr2016_SRU11_3_4_5_0 code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the Oracle CPU for apr2016. # include("compat.inc"); if (description) { script_id(90619); script_version("2.6"); script_cvs_date("Date: 2020/01/16"); script_cve_id("CVE-2015-7236"); script_name(english:"Oracle Solaris Critical Patch Update : apr2016_SRU11_3_4_5_0"); script_summary(english:"Check for the apr2016 CPU"); script_set_attribute( attribute:"synopsis", value: "The remote Solaris system is missing a security patch from CPU apr2016." ); script_set_attribute( attribute:"description", value: "This Solaris system is missing necessary patches to address a critical security update : - Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Utilities). Supported versions that are affected are 10 and 11.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via RPC to compromise Solaris. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Solaris. (CVE-2015-7236)" ); script_set_attribute( attribute:"see_also", value:"https://support.oracle.com/epmos/faces/DocumentDisplay?id=2123591.1" ); # https://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/2948264.xml script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?ae0f7f52" ); script_set_attribute( attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpuapr2016v3.html" ); script_set_attribute( attribute:"solution", value:"Install the apr2016 CPU from the Oracle support website." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:solaris:11.3"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/10/01"); script_set_attribute(attribute:"patch_publication_date", value:"2016/04/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/04/21"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Solaris Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Solaris11/release"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("solaris.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Solaris11/release"); if (isnull(release)) audit(AUDIT_OS_NOT, "Solaris11"); fix_release = "0.5.11-0.175.3.4.0.5.0"; flag = 0; if (solaris_check_release(release:"0.5.11-0.175.3.4.0.5.0", sru:"11.3.4.5.0") > 0) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:solaris_get_report2()); else security_warning(0); exit(0); } audit(AUDIT_OS_RELEASE_NOT, "Solaris", fix_release, release);
NASL family Scientific Linux Local Security Checks NASL id SL_20160107_RPCBIND_ON_SL6_X.NASL description A use-after-free flaw related to the PMAP_CALLIT operation and TCP/UDP connections was discovered in rpcbind. A remote attacker could possibly exploit this flaw to crash the rpcbind service by performing a series of UDP and TCP calls. (CVE-2015-7236) If the rpcbind service is running, it will be automatically restarted after installing this update. last seen 2020-03-18 modified 2016-01-08 plugin id 87813 published 2016-01-08 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/87813 title Scientific Linux Security Update : rpcbind on SL6.x, SL7.x i386/x86_64 (20160107) NASL family SuSE Local Security Checks NASL id SUSE_SU-2015-1705-2.NASL description A use-after-free security bug in rpcbind was fixed which could lead to a remote denial of service. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 86343 published 2015-10-12 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86343 title SUSE SLED12 Security Update : rpcbind (SUSE-SU-2015:1705-2) NASL family Junos Local Security Checks NASL id JUNIPER_SPACE_JSA_10838.NASL description According to its self-reported version number, the remote Junos Space version is prior to 17.2R1. It is, therefore, affected by multiple vulnerabilities. last seen 2020-06-01 modified 2020-06-02 plugin id 108520 published 2018-03-21 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108520 title Juniper Junos Space < 17.2R1 Multiple Vulnerabilities (JSA10838) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_0E5D6969600A11E6A6C314DAE9D210B8.NASL description In rpcbind(8), netbuf structures are copied directly, which would result in two netbuf structures that reference to one shared address buffer. When one of the two netbuf structures is freed, access to the other netbuf structure would result in an undefined result that may crash the rpcbind(8) daemon. Impact : A remote attacker who can send specifically crafted packets to the rpcbind(8) daemon can cause it to crash, resulting in a denial of service condition. last seen 2020-06-01 modified 2020-06-02 plugin id 92896 published 2016-08-12 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92896 title FreeBSD : FreeBSD -- rpcbind(8) remote denial of service [REVISED] (0e5d6969-600a-11e6-a6c3-14dae9d210b8) NASL family SuSE Local Security Checks NASL id SUSE_SU-2015-1706-2.NASL description A use-after-free security bug in rpcbind was fixed which could lead to a remote denial of service. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 86345 published 2015-10-12 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86345 title SUSE SLES11 Security Update : rpcbind (SUSE-SU-2015:1706-2) NASL family Solaris Local Security Checks NASL id SOLARIS10_152264-01.NASL description Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Utilities). Supported versions that are affected are 10 and 11.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via RPC to compromise Solaris. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Solaris. last seen 2020-06-01 modified 2020-06-02 plugin id 107782 published 2018-03-12 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/107782 title Solaris 10 (sparc) : 152264-01 NASL family Solaris Local Security Checks NASL id SOLARIS10_X86_152265-01.NASL description Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Utilities). Supported versions that are affected are 10 and 11.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via RPC to compromise Solaris. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Solaris. last seen 2020-06-01 modified 2020-06-02 plugin id 108255 published 2018-03-12 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108255 title Solaris 10 (x86) : 152265-01 NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2016-0005.NASL description From Red Hat Security Advisory 2016:0005 : Updated rpcbind packages that fix one security issue are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The rpcbind utility is a server that converts RPC program numbers into universal addresses. It must be running on the host to be able to make RPC calls on a server on that machine. A use-after-free flaw related to the PMAP_CALLIT operation and TCP/UDP connections was discovered in rpcbind. A remote attacker could possibly exploit this flaw to crash the rpcbind service by performing a series of UDP and TCP calls. (CVE-2015-7236) All rpcbind users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. If the rpcbind service is running, it will be automatically restarted after installing this update. last seen 2020-06-01 modified 2020-06-02 plugin id 87792 published 2016-01-08 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/87792 title Oracle Linux 6 / 7 : rpcbind (ELSA-2016-0005) NASL family Fedora Local Security Checks NASL id FEDORA_2015-36B145BD37.NASL description rpcbind-0.2.3-0.4.fc23 - Fixed Seg fault in PMAP_CALLIT code (bz1264351) rpcbind-0.2.3-0.3.fc22 - Fixed Seg fault in PMAP_CALLIT code (bz 1264351) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-03-04 plugin id 89208 published 2016-03-04 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/89208 title Fedora 23 : rpcbind-0.2.3-0.4.fc23 (2015-36b145bd37) NASL family SuSE Local Security Checks NASL id SUSE_SU-2015-1705-1.NASL description A use-after-free security bug in rpcbind was fixed which could lead to a remote denial of service. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 86342 published 2015-10-12 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86342 title SUSE SLES12 Security Update : rpcbind (SUSE-SU-2015:1705-1) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2016-0005.NASL description Updated rpcbind packages that fix one security issue are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The rpcbind utility is a server that converts RPC program numbers into universal addresses. It must be running on the host to be able to make RPC calls on a server on that machine. A use-after-free flaw related to the PMAP_CALLIT operation and TCP/UDP connections was discovered in rpcbind. A remote attacker could possibly exploit this flaw to crash the rpcbind service by performing a series of UDP and TCP calls. (CVE-2015-7236) All rpcbind users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. If the rpcbind service is running, it will be automatically restarted after installing this update. last seen 2020-06-01 modified 2020-06-02 plugin id 87778 published 2016-01-08 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/87778 title CentOS 6 / 7 : rpcbind (CESA-2016:0005) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2016-0005.NASL description Updated rpcbind packages that fix one security issue are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The rpcbind utility is a server that converts RPC program numbers into universal addresses. It must be running on the host to be able to make RPC calls on a server on that machine. A use-after-free flaw related to the PMAP_CALLIT operation and TCP/UDP connections was discovered in rpcbind. A remote attacker could possibly exploit this flaw to crash the rpcbind service by performing a series of UDP and TCP calls. (CVE-2015-7236) All rpcbind users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. If the rpcbind service is running, it will be automatically restarted after installing this update. last seen 2020-06-01 modified 2020-06-02 plugin id 87805 published 2016-01-08 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/87805 title RHEL 6 / 7 : rpcbind (RHSA-2016:0005) NASL family Fedora Local Security Checks NASL id FEDORA_2015-9EEE2FBC78.NASL description rpcbind-0.2.3-0.4.fc23 - Fixed Seg fault in PMAP_CALLIT code (bz1264351) rpcbind-0.2.3-0.3.fc22 - Fixed Seg fault in PMAP_CALLIT code (bz 1264351) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-03-04 plugin id 89339 published 2016-03-04 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/89339 title Fedora 22 : rpcbind-0.2.3-0.3.fc22 (2015-9eee2fbc78) NASL family SuSE Local Security Checks NASL id SUSE_SU-2015-1706-1.NASL description A use-after-free security bug in rpcbind was fixed which could lead to a remote denial of service. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 86344 published 2015-10-12 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86344 title SUSE SLED11 / SLES11 Security Update : rpcbind (SUSE-SU-2015:1706-1) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-311.NASL description A use-after-free vulnerability in rpcbind causing remotely triggerable crash was found. Rpcbind crashes in svc_dodestroy when trying to free a corrupted xprt->xp_netid pointer, which contains a sockaddr_in. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2015-09-21 plugin id 86021 published 2015-09-21 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86021 title Debian DLA-311-1 : rpcbind security update NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3366.NASL description A remotely triggerable use-after-free vulnerability was found in rpcbind, a server that converts RPC program numbers into universal addresses. A remote attacker can take advantage of this flaw to mount a denial of service (rpcbind crash). last seen 2020-06-01 modified 2020-06-02 plugin id 86108 published 2015-09-24 reporter This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86108 title Debian DSA-3366-1 : rpcbind - security update NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201611-17.NASL description The remote host is affected by the vulnerability described in GLSA-201611-17 (RPCBind: Denial of Service) A use-after-free vulnerability was discovered in RPCBind’s svc_dodestroy function when trying to free a corrupted xprt->xp_netid pointer. Impact : A remote attacker could possibly cause a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 95268 published 2016-11-23 reporter This script is Copyright (C) 2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/95268 title GLSA-201611-17 : RPCBind: Denial of Service NASL family Solaris Local Security Checks NASL id SOLARIS10_X86_152265.NASL description Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Utilities). Supported versions that are affected are 10 and 11.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via RPC to compromise Solaris. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Solaris. This plugin has been deprecated and either replaced with individual 152265 patch-revision plugins, or deemed non-security related. last seen 2019-02-21 modified 2018-07-30 plugin id 90089 published 2016-03-22 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=90089 title Solaris 10 (x86) : 152265-01 (deprecated) NASL family Solaris Local Security Checks NASL id SOLARIS10_152264.NASL description Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Utilities). Supported versions that are affected are 10 and 11.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via RPC to compromise Solaris. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Solaris. This plugin has been deprecated and either replaced with individual 152264 patch-revision plugins, or deemed non-security related. last seen 2019-02-21 modified 2018-07-30 plugin id 90085 published 2016-03-22 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=90085 title Solaris 10 (sparc) : 152264-01 (deprecated) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2756-1.NASL description It was discovered that rpcbind incorrectly handled certain memory structures. A remote attacker could use this issue to cause rpcbind to crash, resulting in a denial of service, or possibly execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 86220 published 2015-10-01 reporter Ubuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86220 title Ubuntu 12.04 LTS / 14.04 LTS / 15.04 : rpcbind vulnerability (USN-2756-1) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2016-659.NASL description A use-after-free flaw related to the PMAP_CALLIT operation and TCP/UDP connections was discovered in rpcbind. A remote, unauthenticated attacker could possibly exploit this flaw to crash the rpcbind service (denial of service) by performing a series of UDP and TCP calls. last seen 2020-06-01 modified 2020-06-02 plugin id 89840 published 2016-03-11 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/89840 title Amazon Linux AMI : rpcbind (ALAS-2016-659)
Redhat
advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||
rpms |
|
References
- http://lists.fedoraproject.org/pipermail/package-announce/2015-November/171030.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-November/171030.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172152.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172152.html
- http://www.debian.org/security/2015/dsa-3366
- http://www.debian.org/security/2015/dsa-3366
- http://www.openwall.com/lists/oss-security/2015/09/17/1
- http://www.openwall.com/lists/oss-security/2015/09/17/1
- http://www.openwall.com/lists/oss-security/2015/09/17/6
- http://www.openwall.com/lists/oss-security/2015/09/17/6
- http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
- http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html
- http://www.securityfocus.com/bid/76771
- http://www.securityfocus.com/bid/76771
- http://www.securitytracker.com/id/1033673
- http://www.securitytracker.com/id/1033673
- http://www.spinics.net/lists/linux-nfs/msg53045.html
- http://www.spinics.net/lists/linux-nfs/msg53045.html
- http://www.ubuntu.com/usn/USN-2756-1
- http://www.ubuntu.com/usn/USN-2756-1
- https://security.FreeBSD.org/advisories/FreeBSD-SA-15:24.rpcbind.asc
- https://security.FreeBSD.org/advisories/FreeBSD-SA-15:24.rpcbind.asc
- https://security.gentoo.org/glsa/201611-17
- https://security.gentoo.org/glsa/201611-17