ID CVE-2013-1950
Summary The svc_dg_getargs function in libtirpc 0.2.3 and earlier allows remote attackers to cause a denial of service (rpcbind crash) via a Sun RPC request with crafted arguments that trigger a free of an invalid pointer.
References
Vulnerable Configurations
  • Red Hat libtirpc 0.2.3
    cpe:2.3:a:redhat:libtirpc:0.2.3
  • Red Hat libtirpc 0.2.2
    cpe:2.3:a:redhat:libtirpc:0.2.2
  • Red Hat libtirpc 0.2.1
    cpe:2.3:a:redhat:libtirpc:0.2.1
  • Red Hat libtirpc 0.2.0
    cpe:2.3:a:redhat:libtirpc:0.2.0
  • Red Hat libtirpc 0.1.11
    cpe:2.3:a:redhat:libtirpc:0.1.11
  • Red Hat libtirpc 0.1.10
    cpe:2.3:a:redhat:libtirpc:0.1.10
  • Red Hat libtirpc 0.1.9
    cpe:2.3:a:redhat:libtirpc:0.1.9
  • Red Hat libtirpc 0.1.8
    cpe:2.3:a:redhat:libtirpc:0.1.8
CVSS
Base: 4.3 (as of 10-07-2013 - 09:47)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
exploit-db via4
description rpcbind (CALLIT Procedure) UDP Crash PoC. CVE-2013-1950. Dos exploit for linux platform
id EDB-ID:26887
last seen 2016-02-03
modified 2013-07-16
published 2013-07-16
reporter Sean Verity
source https://www.exploit-db.com/download/26887/
title rpcbind CALLIT Procedure UDP Crash PoC
nessus via4
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2013-0884.NASL
    description Updated libtirpc packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. These packages provide a transport-independent RPC (remote procedure call) implementation. A flaw was found in the way libtirpc decoded RPC requests. A specially crafted RPC request could cause libtirpc to attempt to free a buffer provided by an application using the library, even when the buffer was not dynamically allocated. This could cause an application using libtirpc, such as rpcbind, to crash. (CVE-2013-1950) Red Hat would like to thank Michael Armstrong for reporting this issue. Users of libtirpc should upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using libtirpc must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 66702
    published 2013-05-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=66702
    title CentOS 6 : libtirpc (CESA-2013:0884)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-0884.NASL
    description Updated libtirpc packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. These packages provide a transport-independent RPC (remote procedure call) implementation. A flaw was found in the way libtirpc decoded RPC requests. A specially crafted RPC request could cause libtirpc to attempt to free a buffer provided by an application using the library, even when the buffer was not dynamically allocated. This could cause an application using libtirpc, such as rpcbind, to crash. (CVE-2013-1950) Red Hat would like to thank Michael Armstrong for reporting this issue. Users of libtirpc should upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using libtirpc must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 66707
    published 2013-05-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=66707
    title RHEL 6 : libtirpc (RHSA-2013:0884)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2013-0884.NASL
    description From Red Hat Security Advisory 2013:0884 : Updated libtirpc packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. These packages provide a transport-independent RPC (remote procedure call) implementation. A flaw was found in the way libtirpc decoded RPC requests. A specially crafted RPC request could cause libtirpc to attempt to free a buffer provided by an application using the library, even when the buffer was not dynamically allocated. This could cause an application using libtirpc, such as rpcbind, to crash. (CVE-2013-1950) Red Hat would like to thank Michael Armstrong for reporting this issue. Users of libtirpc should upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using libtirpc must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 68830
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68830
    title Oracle Linux 6 : libtirpc (ELSA-2013-0884)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2013-199.NASL
    description A flaw was found in the way libtirpc decoded RPC requests. A specially crafted RPC request could cause libtirpc to attempt to free a buffer provided by an application using the library, even when the buffer was not dynamically allocated. This could cause an application using libtirpc, such as rpcbind, to crash. (CVE-2013-1950)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 69757
    published 2013-09-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69757
    title Amazon Linux AMI : libtirpc (ALAS-2013-199)
  • NASL family F5 Networks Local Security Checks
    NASL id F5_BIGIP_SOL19157044.NASL
    description The svc_dg_getargs function in libtirpc 0.2.3 and earlier allows remote attackers to cause a denial of service (rpcbind crash) via a Sun RPC request with crafted arguments that trigger a free of an invalid pointer. (CVE-2013-1950)
    last seen 2019-02-21
    modified 2019-01-04
    plugin id 88848
    published 2016-02-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88848
    title F5 Networks BIG-IP : libtirpc vulnerability (K19157044)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20130530_LIBTIRPC_ON_SL6_X.NASL
    description A flaw was found in the way libtirpc decoded RPC requests. A specially- crafted RPC request could cause libtirpc to attempt to free a buffer provided by an application using the library, even when the buffer was not dynamically allocated. This could cause an application using libtirpc, such as rpcbind, to crash. (CVE-2013-1950) All running applications using libtirpc must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 66709
    published 2013-05-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=66709
    title Scientific Linux Security Update : libtirpc on SL6.x i386/srpm/x86_64
  • NASL family RPC
    NASL id RPC_XDRMEM_BYTES.NASL
    description The RPC library has an integer overflow in the function xdrmem_getbytes(). An attacker may use this flaw to execute arbitrary code on this host with the privileges your RPC programs are running with (typically root), by sending a specially crafted request to them. Note that this issue affects Solaris, as well as Red Hat Enterprise Linux and Fedora. Nessus used this flaw to crash the portmapper.
    last seen 2019-02-21
    modified 2018-07-27
    plugin id 11420
    published 2003-03-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=11420
    title Sun RPC XDR xdrmem_getbytes Function Remote Overflow
packetstorm via4
data source https://packetstormsecurity.com/files/download/122431/rpcbind_udp_crash_poc.rb.txt
id PACKETSTORM:122431
last seen 2016-12-05
published 2013-07-17
reporter Sean Verity
source https://packetstormsecurity.com/files/122431/rpcbind-CALLIT-UDP-Crash.html
title rpcbind CALLIT UDP Crash
redhat via4
advisories
bugzilla
id 948378
title CVE-2013-1950 libtirpc: invalid pointer free leads to rpcbind daemon crash
oval
AND
  • OR
    • comment Red Hat Enterprise Linux 6 Client is installed
      oval oval:com.redhat.rhsa:tst:20100842001
    • comment Red Hat Enterprise Linux 6 Server is installed
      oval oval:com.redhat.rhsa:tst:20100842002
    • comment Red Hat Enterprise Linux 6 Workstation is installed
      oval oval:com.redhat.rhsa:tst:20100842003
    • comment Red Hat Enterprise Linux 6 ComputeNode is installed
      oval oval:com.redhat.rhsa:tst:20100842004
  • OR
    • AND
      • comment libtirpc is earlier than 0:0.2.1-6.el6_4
        oval oval:com.redhat.rhsa:tst:20130884005
      • comment libtirpc is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20130884006
    • AND
      • comment libtirpc-devel is earlier than 0:0.2.1-6.el6_4
        oval oval:com.redhat.rhsa:tst:20130884007
      • comment libtirpc-devel is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20130884008
rhsa
id RHSA-2013:0884
released 2013-05-30
severity Moderate
title RHSA-2013:0884: libtirpc security update (Moderate)
rpms
  • libtirpc-0:0.2.1-6.el6_4
  • libtirpc-devel-0:0.2.1-6.el6_4
refmap via4
confirm
Last major update 11-10-2013 - 11:18
Published 09-07-2013 - 13:55
Back to Top