1. Home
  2. Network Vulnerabilities
  3. How to remediate – Detect RPC over UDP
Searching...

How to remediate – Detect RPC over UDP

Contents

1. Introduction

Detect RPC over UDP indicates a Remote Procedure Call service is running on a port without being registered with the portmapper. This can allow unauthenticated access to sensitive services and data, potentially leading to information disclosure or remote code execution. Systems commonly affected include Windows servers and applications using RPC for communication. Likely impact: Confidentiality – possible, Integrity – possible, Availability – possible.

2. Technical Explanation

The vulnerability occurs when an RPC service starts listening on a UDP port but doesn’t register itself with the portmapper (port 111). This makes it difficult to discover and manage the service securely. An attacker could directly connect to the exposed UDP port and attempt to execute RPC procedures without proper authentication or authorization. There is no known CVE associated with this specific detection, as it represents a configuration issue rather than a software flaw. For example, an attacker might send crafted RPC requests to the UDP port to enumerate available functions or trigger unintended behavior.

  • Root cause: The service failed to register with the portmapper, likely due to firewall restrictions or incorrect configuration.
  • Exploit mechanism: An attacker sends a malicious RPC request directly to the exposed UDP port.
  • Scope: Windows systems running RPC services are affected.

3. Detection and Assessment

Confirming vulnerability involves checking for RPC services listening on UDP ports without corresponding entries in the portmapper database.

  • Quick checks: Use netstat -an | findstr ":" to see if a service is listening on a specific UDP port.
  • Scanning: Nessus plugin ID 10385 can detect RPC over UDP. This should be used as an example only, and results verified manually.
  • Logs and evidence: Windows Event Logs may contain information about RPC service startup or registration failures. Check System logs for events related to RPC.
netstat -an | findstr ":135"

4. Solution / Remediation Steps

Fixing this issue involves ensuring that all RPC services register with the portmapper or restricting access to UDP ports used by RPC.

4.1 Preparation

  • A change window may be required, depending on the criticality of the affected services and potential impact.

4.2 Implementation

  1. Step 1: Configure RPC services to register with the portmapper (port 111). This is usually done through service configuration settings.
  2. Step 2: If registration isn’t possible, restrict access to the UDP ports used by RPC using Windows Firewall or a similar firewall solution.

4.3 Config or Code Example

Before

After

4.4 Security Practices Relevant to This Vulnerability

List only practices that directly address this vulnerability type. Use neutral wording and examples instead of fixed advice. For example: least privilege, input validation, safe defaults, secure headers, patch cadence. If a practice does not apply, do not include it.

  • Practice 1: Least privilege to reduce the impact if an RPC service is exploited.
  • Practice 2: Network segmentation to limit access to sensitive services.

4.5 Automation (Optional)

5. Verification / Validation

Confirming the fix involves verifying that RPC services are registered with the portmapper or access to UDP ports is restricted.

  • Post-fix check: Run rpccli -s and verify that the affected service appears in the list of registered services.
  • Re-test: Re-run the Nessus scan (plugin ID 10385) to confirm the vulnerability is no longer detected.
  • Monitoring: Monitor Windows Event Logs for any errors related to RPC registration or access attempts.
rpccli -s

6. Preventive Measures and Monitoring

Suggest only measures that are relevant to the vulnerability type. Use “for example” to keep advice conditional, not prescriptive.

  • Baselines: Update security baselines or policies to require RPC services to register with the portmapper.
  • Pipelines: Implement configuration management tools to enforce consistent RPC service settings.
  • Asset and patch process: Regularly review RPC service configurations during asset inventory and patching cycles.

7. Risks, Side Effects, and Roll Back

  • Risk or side effect 1: Restricting access to UDP ports may disrupt legitimate applications relying on RPC over UDP.
  • Risk or side effect 2: Incorrectly configuring RPC service registration can lead to service failures.
  • Roll back: Revert any changes made to RPC service configurations and restart the affected services. Restore from backup if necessary.

8. References and Resources

  • Vendor advisory or bulletin: No specific vendor advisory available for this configuration issue.
  • NVD or CVE entry: No specific CVE associated with this detection.
  • Product or platform documentation relevant to the fix: Microsoft Documentation on RPC.
Updated on December 27, 2025

Was this article helpful?

Yes No

Related Articles