Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against Multiple Vendors librpc.dll Stack Buffer Overflow

Subscribe

Check Point Reference: CPAI-2011-101
Date Published:
Severity:
Source: Secunia Advisory SA38731
Industry Reference(s): CVE-2009-2754
Protection Provided by: IPS-1
  • IPS-1
  • IPS-1 NGX R65
Who is Vulnerable?
EMC Legato NetWorker
IBM Informix Dynamic Server prior to 10.00.TC9
IBM Informix Dynamic Server prior to 11.10.TC3
Vulnerability Description
A buffer overflow vulnerability exists in IBM's Informix Dynamic Server and EMC's Legato Networker. The vulnerability is due to insufficient validation of user input during authentication by the RPC protocol parsing library, librpc.dll, used by the Portmapper service (portmap.exe). Successful exploitation may result in arbitrary code execution on the affected system.
Vulnerability Details
The vulnerability is due to improper bounds checking of the Machine Name parameter in the AUTH_UNIX flavour of the remote procedure call authentication.

Protection Overview
The protection will detect and block RPC requests using AUTH_UNIX flavor of authentication with improperly specified machine names.

To configure the defense, select your product from the list below and follow the related protection steps.

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Application Intelligence > RPC, and select the portmap protection group.
3. Click Multiple Vendors librpc.dll Stack Buffer Overflow (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Alert Name: Portmap
Description: Multiple Vendors librpc.dll Stack Buffer Overflow