Update Protection against Multiple Vendors rpc.pcnfsd Syslog Format String Vulnerability

Vulnerability
Protection

Check Point Reference:	CPAI-2010-082
Date Published:
Severity:
Last Updated:
Source:	IPS Research Center
Industry Reference(s):	CVE-2010-1039
Protection Provided by:	Security Gateway R71 R70 VPN-1 NGX R65 VSX NGX R65 InterSpect NGX IPS-1 IPS-1 IPS-1 NGX R65
Who is Vulnerable? IBM AIX 6.1.0 and earlier versions IRIX 6.5 HP-UX 11.11
Vulnerability Description An integer overflow vulnerability was reported in the rpc.pcnfsd service within the several systems. The rpc.pcnfsd daemon handles requests from PC-NFS clients for authentication services on remote machines. These services include authentication for mounting and for print spooling. The vulnerability is triggered when parsing crafted RPC requests. A remote attacker can leverage this vulnerability by sending a crafted RPC message to the target host, to potentially inject and execute arbitrary code.

Vulnerability Details
The vulnerability resides within a log function of the rpc.pcnfsd service. This can be exploited to cause an integer overflow via a specially crafted RPC request. Successful exploitation of this issue could allow the attacker to execute arbitrary code on an affected system.

Protection Overview
This protection will detect and block malformed RPC requests.

In order for the protection to be activated, update your Security Gateway/VPN-1/InterSpect product to the latest IPS/SmartDefense update. For information on how to update IPS/SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway: R70/R71

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Application Intelligence > SUN-RPC.
2. In the right pane, double-click the Multiple Vendors rpc.pcnfsd Syslog Format String Remote Code Execution protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: SUN-RPC Enforcement Protection
Attack Information: Multiple vendors rpc.pcnfsd syslog format string remote code execution

VPN-1 NGX R65 & VPN-1 VSX NGX R65

How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > SUN-RPC > Multiple Vendors rpc.pcnfsd Syslog Format String Remote Code Execution.
2. In the configuration pane, under Settings > Mode, check Active.
3. Install policy on all modules.

InterSpect NGX

How Can I Protect My Network?
1. In the left pane, select Profiles > Default Protection and select the SmartDefense page of the profile.
2. In the SmartDefense tree, click Application Intelligence > UNIX-RPC.
3. Select the following:

Multiple Vendors rpc.pcnfsd Syslog Format String Remote Code Execution

4. Install policy on all modules.

How Do I Know if My Network is Under Attack?

SmartView Tracker will log the following entries:

Attack Name: SUN-RPC Enforcement Violation
Attack Information: Multiple vendors rpc.pcnfsd syslog format string remote code execution

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Application Intelligence > Authentication, and select the Authentication BE protection group.
3. Click Bad User List (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Alert Name: Authentication
Description: Bad User List

Legal Notice for Threat Center Advisories