Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

UNIX RPC Interface Scanning Protection

Attack ID: CPAI-2004-57
Publish Date:
Last Update:
Category: UNIX RPC Interface Scanning Protection
Vulnerable Systems: UNIX operating systems
Source: SmartDefense Research Center
Description:

RPC is a communication method between clients and servers, used by UNIX-based applications as well as many other applications. The RPC interface scanning is an advanced technique that may be used by attackers to gain information about services and applications running on a remote UNIX server. An attacker may use this information to launch an attack on the server.

Severity:
Details:

The Remote Procedure Call (RPC) mechanism provides a way to identify which services are available on a server. Sending a query through the RPC Interface (rpcinfo) will return a list of all the services registered on a system. An attacker that wishes to gain information about the status of a remote UNIX server may send an rpcinfo request to the server and obtain a list of all the services and application running on that server.

Attack Detection:

Using SmartView Tracker, users of VPN-1 NG with Application Intelligence R55, R55W and InterSpect who have performed the Update outlined below, will be able to identify this attack by the following logging entries:

Users of R55
Users of R55 will identify rule number 99111 on the SmartView Tracker log viewer.
Rule 99111 - Detected SUN-RPC over TCP Lookup operation / Detected SUN-RPC over UDP Lookup operation

Users of R55W and InterSpect:

Attack Name: SUN-RPC Enforcement Violation
Attack Information (may vary):

  • Detected SUN-RPC over TCP Lookup operation  
  • Detected SUN-RPC over UDP Lookup operation     
  • Malformed SUN-RPC over TCP packet: packet too short  
  • Malformed SUN-RPC over UDP packet: packet too short  
  • Malformed SUN-RPC over TCP packet: illegal packet length
Solution:

Users of VPN-1 NG with Application Intelligence R55 and InterSpect should update their SmartDefense by clicking the Update Now button on the SmartDefense SmartDashboard General window.

Users of VPN-1 NG with Application Intelligence R55W should update their SmartDefense by clicking the Online Update button on the SmartDefense SmartDashboard General window.

The Update adds a new branch of protections to the SmartDefense tree titled Sun-RPC. The new protection blocks SUN-RPC interface scanning, a technique used to gather information on services and applications registered on a remote UNIX RPC server. The Update also provides enforcement of the RPC protocol through inspection of packet lengths. The new SUN-RPC Programs Lookup protection has been added on the SmartDefense navigation tree, under Application Intelligence > SUN-RPC.  

To activate the protection:

  1. On the SmartDefense navigation tree, select Application Intelligence > SUN-RPC > SUN-RPC Programs Lookup.
  2. Select one of the two options: Block SUN-RPC Programs Lookup or the Monitor Only option to log the attack without blocking it.  

Note: Some legitimate applications may fail to communicate if the RPC interface is blocked.

Industry Reference:
Additional Information: This Update also includes an enhanced protection to the JPEG content protection introduced on September 22, 2004. For more information, refer to the Solution section in CPAI-2004-42.