File: 2023.txt

package info (click to toggle)
snort 2.7.0-20.4
  • links: PTS
  • area: main
  • in suites: lenny
  • size: 34,512 kB
  • ctags: 18,772
  • sloc: ansic: 115,404; sh: 10,893; makefile: 1,372; perl: 487; sql: 213
file content (69 lines) | stat: -rw-r--r-- 1,609 bytes parent folder | download | duplicates (6)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
Rule:

--
Sid:
2023

--
Summary:
The RPC service mountd enables clients to connect to networked file 
machine being dismounted via UDP.

--
Impact:
Denial of network resources to users on the local area network.

--
Detailed Information:
This may be an attempt to deny access to network resources from an 
unauthorized source. It may also be indicative of an attacker probing 
for RPC services on a host in an attempt to discover a possible entry 
point to network resources via a vulnerable daemon.

--
Affected Systems:
All systems allowing network shares to be unmounted by anonymous hosts, 
all systems allowing RPC services to be stopped by ordinary users and 
systems already compromised by an attacker via another vulnerability.

--
Attack Scenarios:
This is an intelligence gathering activity, the attacker could remotely 
unmount a shared resource to deny a resource to the local area network 
or a probe to discover possible routes of entry into a system.

--
Ease of Attack:
Simple

--
False Positives:
None Known

--
False Negatives:
None Known

--
Corrective Action:
When allowing hosts to mount an external network share, consider using a
hosts.allow file.

Do not allow shares to be unmounted by unauthorized hosts or users.

RPC services should not be available outside the local area network, 
filter RPC ports at the firewall to ensure access is denied to RPC 
enabled machines.

RPC services should also be disabled where not needed.

--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:

--