ID CVE-2015-7236
Summary Use-after-free vulnerability in xprt_set_caller in rpcb_svc_com.c in rpcbind 0.2.1 and earlier allows remote attackers to cause a denial of service (daemon crash) via crafted packets, involving a PMAP_CALLIT code.
References
Vulnerable Configurations
  • RPCBind Project RPCBind 0.2.1
    cpe:2.3:a:rpcbind_project:rpcbind:0.2.1
  • Debian Linux 7.0
    cpe:2.3:o:debian:debian_linux:7.0
  • Canonical Ubuntu Linux 15.04
    cpe:2.3:o:canonical:ubuntu_linux:15.04
  • Canonical Ubuntu Linux 14.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:14.04:-:-:-:lts
  • Canonical Ubuntu Linux 12.04 LTS
    cpe:2.3:o:canonical:ubuntu_linux:12.04:-:-:-:lts
  • cpe:2.3:a:oracle:solaris_operating_system:11.3
    cpe:2.3:a:oracle:solaris_operating_system:11.3
  • cpe:2.3:a:oracle:solaris_operating_system:10
    cpe:2.3:a:oracle:solaris_operating_system:10
CVSS
Base: 5.0 (as of 25-04-2016 - 10:05)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2016-659.NASL
    description A use-after-free flaw related to the PMAP_CALLIT operation and TCP/UDP connections was discovered in rpcbind. A remote, unauthenticated attacker could possibly exploit this flaw to crash the rpcbind service (denial of service) by performing a series of UDP and TCP calls.
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 89840
    published 2016-03-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89840
    title Amazon Linux AMI : rpcbind (ALAS-2016-659)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS10_X86_152265-01.NASL
    description Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Utilities). Supported versions that are affected are 10 and 11.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via RPC to compromise Solaris. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Solaris.
    last seen 2019-02-21
    modified 2018-10-29
    plugin id 108255
    published 2018-03-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108255
    title Solaris 10 (x86) : 152265-01
  • NASL family Junos Local Security Checks
    NASL id JUNIPER_SPACE_JSA_10838.NASL
    description According to its self-reported version number, the remote Junos Space version is prior to 17.2R1. It is, therefore, affected by multiple vulnerabilities.
    last seen 2019-02-21
    modified 2018-08-03
    plugin id 108520
    published 2018-03-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108520
    title Juniper Junos Space < 17.2R1 Multiple Vulnerabilities (JSA10838)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS10_152264-01.NASL
    description Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Utilities). Supported versions that are affected are 10 and 11.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via RPC to compromise Solaris. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Solaris.
    last seen 2019-02-21
    modified 2018-10-26
    plugin id 107782
    published 2018-03-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=107782
    title Solaris 10 (sparc) : 152264-01
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_0E5D6969600A11E6A6C314DAE9D210B8.NASL
    description In rpcbind(8), netbuf structures are copied directly, which would result in two netbuf structures that reference to one shared address buffer. When one of the two netbuf structures is freed, access to the other netbuf structure would result in an undefined result that may crash the rpcbind(8) daemon. Impact : A remote attacker who can send specifically crafted packets to the rpcbind(8) daemon can cause it to crash, resulting in a denial of service condition.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 92896
    published 2016-08-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92896
    title FreeBSD : FreeBSD -- rpcbind(8) remote denial of service [REVISED] (0e5d6969-600a-11e6-a6c3-14dae9d210b8)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-0005.NASL
    description From Red Hat Security Advisory 2016:0005 : Updated rpcbind packages that fix one security issue are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The rpcbind utility is a server that converts RPC program numbers into universal addresses. It must be running on the host to be able to make RPC calls on a server on that machine. A use-after-free flaw related to the PMAP_CALLIT operation and TCP/UDP connections was discovered in rpcbind. A remote attacker could possibly exploit this flaw to crash the rpcbind service by performing a series of UDP and TCP calls. (CVE-2015-7236) All rpcbind users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. If the rpcbind service is running, it will be automatically restarted after installing this update.
    last seen 2019-02-21
    modified 2018-07-25
    plugin id 87792
    published 2016-01-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87792
    title Oracle Linux 6 / 7 : rpcbind (ELSA-2016-0005)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-0005.NASL
    description Updated rpcbind packages that fix one security issue are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The rpcbind utility is a server that converts RPC program numbers into universal addresses. It must be running on the host to be able to make RPC calls on a server on that machine. A use-after-free flaw related to the PMAP_CALLIT operation and TCP/UDP connections was discovered in rpcbind. A remote attacker could possibly exploit this flaw to crash the rpcbind service by performing a series of UDP and TCP calls. (CVE-2015-7236) All rpcbind users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. If the rpcbind service is running, it will be automatically restarted after installing this update.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 87805
    published 2016-01-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87805
    title RHEL 6 / 7 : rpcbind (RHSA-2016:0005)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20160107_RPCBIND_ON_SL6_X.NASL
    description A use-after-free flaw related to the PMAP_CALLIT operation and TCP/UDP connections was discovered in rpcbind. A remote attacker could possibly exploit this flaw to crash the rpcbind service by performing a series of UDP and TCP calls. (CVE-2015-7236) If the rpcbind service is running, it will be automatically restarted after installing this update.
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 87813
    published 2016-01-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87813
    title Scientific Linux Security Update : rpcbind on SL6.x, SL7.x i386/x86_64
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-311.NASL
    description A use-after-free vulnerability in rpcbind causing remotely triggerable crash was found. Rpcbind crashes in svc_dodestroy when trying to free a corrupted xprt->xp_netid pointer, which contains a sockaddr_in. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-09
    plugin id 86021
    published 2015-09-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86021
    title Debian DLA-311-1 : rpcbind security update
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS10_X86_152265.NASL
    description Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Utilities). Supported versions that are affected are 10 and 11.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via RPC to compromise Solaris. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Solaris. This plugin has been deprecated and either replaced with individual 152265 patch-revision plugins, or deemed non-security related.
    last seen 2019-02-21
    modified 2018-07-30
    plugin id 90089
    published 2016-03-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90089
    title Solaris 10 (x86) : 152265-01 (deprecated)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS10_152264.NASL
    description Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Utilities). Supported versions that are affected are 10 and 11.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via RPC to compromise Solaris. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Solaris. This plugin has been deprecated and either replaced with individual 152264 patch-revision plugins, or deemed non-security related.
    last seen 2019-02-21
    modified 2018-07-30
    plugin id 90085
    published 2016-03-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90085
    title Solaris 10 (sparc) : 152264-01 (deprecated)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-36B145BD37.NASL
    description rpcbind-0.2.3-0.4.fc23 - Fixed Seg fault in PMAP_CALLIT code (bz1264351) rpcbind-0.2.3-0.3.fc22 - Fixed Seg fault in PMAP_CALLIT code (bz 1264351) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-18
    plugin id 89208
    published 2016-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89208
    title Fedora 23 : rpcbind-0.2.3-0.4.fc23 (2015-36b145bd37)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2756-1.NASL
    description It was discovered that rpcbind incorrectly handled certain memory structures. A remote attacker could use this issue to cause rpcbind to crash, resulting in a denial of service, or possibly execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 86220
    published 2015-10-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86220
    title Ubuntu 12.04 LTS / 14.04 LTS / 15.04 : rpcbind vulnerability (USN-2756-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-9EEE2FBC78.NASL
    description rpcbind-0.2.3-0.4.fc23 - Fixed Seg fault in PMAP_CALLIT code (bz1264351) rpcbind-0.2.3-0.3.fc22 - Fixed Seg fault in PMAP_CALLIT code (bz 1264351) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-18
    plugin id 89339
    published 2016-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89339
    title Fedora 22 : rpcbind-0.2.3-0.3.fc22 (2015-9eee2fbc78)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-1706-2.NASL
    description A use-after-free security bug in rpcbind was fixed which could lead to a remote denial of service. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 86345
    published 2015-10-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86345
    title SUSE SLES11 Security Update : rpcbind (SUSE-SU-2015:1706-2)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3366.NASL
    description A remotely triggerable use-after-free vulnerability was found in rpcbind, a server that converts RPC program numbers into universal addresses. A remote attacker can take advantage of this flaw to mount a denial of service (rpcbind crash).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 86108
    published 2015-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86108
    title Debian DSA-3366-1 : rpcbind - security update
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-1705-1.NASL
    description A use-after-free security bug in rpcbind was fixed which could lead to a remote denial of service. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 86342
    published 2015-10-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86342
    title SUSE SLES12 Security Update : rpcbind (SUSE-SU-2015:1705-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-1705-2.NASL
    description A use-after-free security bug in rpcbind was fixed which could lead to a remote denial of service. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 86343
    published 2015-10-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86343
    title SUSE SLED12 Security Update : rpcbind (SUSE-SU-2015:1705-2)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-1706-1.NASL
    description A use-after-free security bug in rpcbind was fixed which could lead to a remote denial of service. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 86344
    published 2015-10-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86344
    title SUSE SLED11 / SLES11 Security Update : rpcbind (SUSE-SU-2015:1706-1)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201611-17.NASL
    description The remote host is affected by the vulnerability described in GLSA-201611-17 (RPCBind: Denial of Service) A use-after-free vulnerability was discovered in RPCBind’s svc_dodestroy function when trying to free a corrupted xprt->xp_netid pointer. Impact : A remote attacker could possibly cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2016-11-23
    plugin id 95268
    published 2016-11-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95268
    title GLSA-201611-17 : RPCBind: Denial of Service
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2016-0005.NASL
    description Updated rpcbind packages that fix one security issue are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The rpcbind utility is a server that converts RPC program numbers into universal addresses. It must be running on the host to be able to make RPC calls on a server on that machine. A use-after-free flaw related to the PMAP_CALLIT operation and TCP/UDP connections was discovered in rpcbind. A remote attacker could possibly exploit this flaw to crash the rpcbind service by performing a series of UDP and TCP calls. (CVE-2015-7236) All rpcbind users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. If the rpcbind service is running, it will be automatically restarted after installing this update.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 87778
    published 2016-01-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87778
    title CentOS 6 / 7 : rpcbind (CESA-2016:0005)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS_APR2016_SRU11_3_4_5_0.NASL
    description This Solaris system is missing necessary patches to address a critical security update : - Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Utilities). Supported versions that are affected are 10 and 11.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via RPC to compromise Solaris. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Solaris. (CVE-2015-7236)
    last seen 2019-02-21
    modified 2018-11-14
    plugin id 90619
    published 2016-04-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90619
    title Oracle Solaris Critical Patch Update : apr2016_SRU11_3_4_5_0
redhat via4
advisories
bugzilla
id 1264345
title CVE-2015-7236 rpcbind: Use-after-free vulnerability in PMAP_CALLIT
oval
OR
  • AND
    • comment rpcbind is earlier than 0:0.2.0-11.el6_7
      oval oval:com.redhat.rhsa:tst:20160005005
    • comment rpcbind is signed with Red Hat redhatrelease2 key
      oval oval:com.redhat.rhsa:tst:20160005006
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhba:tst:20111656001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhba:tst:20111656002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhba:tst:20111656003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20111656004
  • AND
    • comment rpcbind is earlier than 0:0.2.0-33.el7_2
      oval oval:com.redhat.rhsa:tst:20160005011
    • comment rpcbind is signed with Red Hat redhatrelease2 key
      oval oval:com.redhat.rhsa:tst:20160005006
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhba:tst:20150364001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhba:tst:20150364002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhba:tst:20150364003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20150364004
rhsa
id RHSA-2016:0005
released 2016-01-07
severity Moderate
title RHSA-2016:0005: rpcbind security update (Moderate)
rpms
  • rpcbind-0:0.2.0-11.el6_7
  • rpcbind-0:0.2.0-33.el7_2
refmap via4
bid 76771
confirm
debian DSA-3366
fedora
  • FEDORA-2015-36b145bd37
  • FEDORA-2015-9eee2fbc78
freebsd FreeBSD-SA-15:24
gentoo GLSA-201611-17
mlist
  • [linux-nfs] 20150810 [PATCH] Fix memory corruption in PMAP_CALLIT code
  • [oss-security] 20150917 CVE Request: remote triggerable use-after-free in rpcbind
  • [oss-security] 20150917 Re: CVE Request: remote triggerable use-after-free in rpcbind
sectrack 1033673
ubuntu USN-2756-1
Last major update 07-12-2016 - 22:13
Published 01-10-2015 - 16:59
Last modified 30-06-2017 - 21:29
Back to Top