from various sources of new, unpublished exploits targeting RPC
services on Solaris, including Solaris 2.6, 8, and Solaris 9,
both Intel and Sparc.
This is unconnected with the recent publically announced SGI/IRIX
vulnerabilities, also related to 'rpcbind' (aka 'portmapper').
The most reliable reports are of penetration and defacement against
Internet servers running Solaris 8, with all current official
Sun patches applied. There is also the possibility of the upcoming
release of "blended-threat" worms, for example, a worm with a payload
containing both an (unrelated) MS-RPC exploit for Win32/Intel and a
Solaris/Sparc exploit against rpcbind.
Any Solaris system running 'rpcbind', regardless of what services,
if any, are registered with RPC, should be considered vulnerable.
There is no official patch from Sun, this vulnerability has not been
confirmed by Sun Microsystems nor by CERT. Prior vulnerabilities of
this nature have been exploited in the wild for several months before
being officially addressed by the Sun Security Coordination Team.
On many systems, it may be possible to disable the RPC service
if no NFS or other applications/protocols which rely on RPC are in use.
If it is not possible to entirely disable the RPC service, you may wish
to consider implementing one of several mechanisms to protect the RPC
services from remote access.
We are not able to provide details or recommendations for protecting
RPC at this time. There are third-party 'rpcbind' implementations
which support TCPwrappers, however we have not done any recent testing
with this class of software.
Any system exposed on the Internet with 'rpcbind' running and
TCP port 111 accessible should be considered to be compromised.
