Permanent CPU Hog During TCP Flood on Portmap and RPC.STATD

Hi all,

this is Stefano from Cisco PSIRT. As John mentioned this is affecting one of our product. As per our policy we would need to disclose this vulnerability however we are on hold waiting for your evaluation.

Can you please let me know the status?
If it can help, we have reported a similar issue to RH which confirmed the issue.

Thanks
Stefano

Please report this issue to the upstream eglibc project, and link the resulting bug here. Thanks.

Thanks for the update, can you please provide instructions on how to do this?

-----Original Message-----
From: <email address hidden> [mailto:<email address hidden>] On Behalf Of Marc Deslauriers
Sent: Friday, January 27, 2012 8:51 AM
To: John Zimmerman (johzimme)
Subject: [Bug 901716] Re: Permanent CPU Hog During TCP Flood on Portmap andRPC.STATD

Please report this issue to the upstream eglibc project, and link the
resulting bug here. Thanks.

** Changed in: eglibc (Ubuntu)
       Status: New => Incomplete

--
You received this bug notification because you are subscribed to the bug
report.
https://bugs.launchpad.net/bugs/901716

Title:
  Permanent CPU Hog During TCP Flood on Portmap and RPC.STATD

Status in “eglibc” package in Ubuntu:
  Incomplete

Bug description:
  I’m investigating a Permanent CPU DoS resulting from a TCP flood
  attack against the TCP ports bound to the Portmap and RPC.STATD
  services in Ubuntu 10.04. I’ve found a similar issue on RedHat and it
  appears the vulnerability/bug is in glibc
  (https://bugzilla.redhat.com/show_bug.cgi?id=702300). However, I
  wasn't able to find a similar bug in Ubuntu. The cause may be
  different, but it appears similar.

  The glibc version installed on my Ubuntu 10.04 server is “libglib2.0-0
  2.24.1-0ubuntu1”.

  To reproduce, download the following tools from the internet and execute the following commands:
  1. arpspoof -i eth1 -t <ubuntu-ip-address> <source-spoof-ip-addr>
  2. srvr -SAa -i eth1 <source-spoof-ip-addr> [srvr is part of the Naptha tool]
  3. hping2 <ubuntu-ip-address> -p <port-number> -S -a <source-spoof-ip-addr> -i u10000 –q
      Note: portnumber is 111 for portmap and the port dynamically bound to rpc.statd (via netstat -lnup | grep rpc.statd)

  Thanks,
  John Zimmerman

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/901716/+subscriptions

Actually, you should probably file the bug with glibc itself. Instructions to do so are here:
http://www.gnu.org/software/libc/bugs.html

Thanks.

Looks like this is:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4609
https://www.redhat.com/archives/rhsa-announce/2012-January/msg00020.html

Hi Marc

Stefano here from PSIRT again. I already mentioned that we reported this to RH and they assigned CVE-2011-4609 (see my post on the 18/01) to this issue on their side.
Now my questions are:
1- how do u plan to handle this issue.
2- would u request a new CVE or reuse the one assigned from RH

Thanks
Stefano

Hi Stefano,

Once glibc commits a fix for this issue, either the fix RedHat used, or a similar one, we will backport the fixes to our stable releases by priority.

The CVE identifies the flaw, as such, we will not be requesting a new one.

You can track the progress of this here:

http://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-4609.html

Hi Mark,

so since the info is public I am assuming I can disclose on my side.

Thanks
Stefano

On 07-Feb-12 18:06, Marc Deslauriers wrote:
> Hi Stefano,
>
> Once glibc commits a fix for this issue, either the fix RedHat used, or
> a similar one, we will backport the fixes to our stable releases by
> priority.
>
> The CVE identifies the flaw, as such, we will not be requesting a new
> one.
>

--
Stefano De Crescenzo <email address hidden>
Incident Manager - CCIE #26025 (Security), CCDP
Product Security Incident Response Team (PSIRT) - EMEA
Cisco Systems, Inc.
+32 27046890
PGP Key ID: 0x582770A5
http://www.cisco.com/go/psirt
***
For corporate legal information go to:
http://www.cisco.com/web/about/doing_business/legal/cri/index.html
***

This bug was fixed in the package eglibc - 2.13-20ubuntu5.1

---------------
eglibc (2.13-20ubuntu5.1) oneiric-security; urgency=low

  * SECURITY UPDATE: timezone header parsing integer overflow (LP: #906961)
    - debian/patches/any/glibc-CVE-2009-5029.patch: Check values from
      TZ file header
    - CVE-2009-5029
  * SECURITY UPDATE: ld.so insecure handling of privileged programs'
    RPATHs with $ORIGIN
    - debian/patches/any/glibc-CVE-2011-1658.patch: improve handling of
      RPATH and ORIGIN
    - CVE-2011-1658
  * SECURITY UPDATE: DoS in RPC implementation (LP: #901716)
    - debian/patches/any/glibc-CVE-2011-4609.patch: nanosleep when too
      many open fds is detected
    - CVE-2011-4609
  * SECURITY UPDATE: vfprintf nargs overflow leading to FORTIFY
    check bypass
    - debian/patches/any/glibc-CVE-2012-0864.patch: check for integer
      overflow
    - CVE-2012-0864
 -- Steve Beattie <email address hidden> Tue, 06 Mar 2012 11:28:06 -0800