How to remediate – RPC portmapper (TCP)

Contents

1. Introduction

The RPC portmapper (TCP) is a service that listens for connections and maps Remote Procedure Call (RPC) program numbers to TCP/IP ports. It’s commonly found on Unix-like systems, including Linux and older versions of Windows. Running an ONC RPC portmapper can allow attackers to enumerate services running on the host, potentially leading to further exploitation. This poses a risk to confidentiality, integrity, and availability by enabling reconnaissance and potential service compromise.

2. Technical Explanation

The RPC portmapper listens for requests on TCP port 111. It responds to queries providing information about registered RPC services and their corresponding ports. An attacker can use this information to identify vulnerable services and attempt exploitation. The vulnerability lies in the default configuration of running a publicly accessible portmapper, which reveals internal service details.

Root cause: The RPC portmapper is enabled by default and listens on a public interface without access controls.
Exploit mechanism: An attacker sends requests to the portmapper to enumerate RPC services. They can then target specific services with known vulnerabilities. For example, an attacker could use the `rpcinfo` command to list available services.
Scope: Primarily affects Unix-like systems running ONC RPC portmapper, including older versions of Linux and Windows NT/2000.

3. Detection and Assessment

You can confirm if a system is vulnerable by checking for the presence of an active RPC portmapper service. A thorough assessment involves identifying all registered RPC services.

Quick checks: Use `netstat -tulnp | grep 111` on Linux to check if anything is listening on TCP port 111.
Scanning: Nessus plugin ID 28943 can detect the running RPC portmapper service. OpenVAS also has relevant scans. These are examples only.
Logs and evidence: Check system logs for messages related to `rpcbind` or `portmap`. Look for entries indicating successful connections on port 111.

netstat -tulnp | grep 111
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      1234/rpcbind

4. Solution / Remediation Steps

The best way to fix this issue is to disable the RPC portmapper service if it’s not required. If needed, restrict access to trusted networks only.

4.1 Preparation

Dependencies: Ensure no critical applications rely on the RPC portmapper service. Roll back plan: re-enable the service if issues occur.
Change window needs: A standard maintenance window is recommended, with approval from the system owner.

4.2 Implementation

Step 1: Stop the `rpcbind` service using `systemctl stop rpcbind`.
Step 2: Disable the `rpcbind` service to prevent it from starting on boot using `systemctl disable rpcbind`.
Step 3: Verify the service is stopped with `systemctl status rpcbind`.

4.3 Config or Code Example

Before

systemctl status rpcbind
● rpcbind.service - RPC bind service
   Loaded: loaded (/lib/systemd/system/rpcbind.service; enabled; vendor preset: enabled)
   Active: active (running) since ...

After

systemctl status rpcbind
● rpcbind.service - RPC bind service
   Loaded: loaded (/lib/systemd/system/rpcbind.service; disabled; vendor preset: enabled)
   Inactive: inactive (dead) since ...

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help prevent this issue. Least privilege is key, as is a strong patch cadence.

Practice 1: Least privilege – only run services that are absolutely necessary and limit their access.
Practice 2: Safe defaults – disable unnecessary services by default during system installation or configuration.

4.5 Automation (Optional)

#!/bin/bash
# Stop and disable rpcbind service on Linux systems
systemctl stop rpcbind
systemctl disable rpcbind
echo "rpcbind service stopped and disabled."

5. Verification / Validation

Confirm the fix by checking that the RPC portmapper is no longer listening on TCP port 111. A smoke test should verify dependent services still function if applicable.

Post-fix check: Run `netstat -tulnp | grep 111`. The output should be empty.
Re-test: Re-run the earlier detection method (`netstat -tulnp | grep 111`) to confirm no listening ports remain.
Monitoring: Monitor system logs for unexpected errors related to RPC services.

netstat -tulnp | grep 111
# No output should be displayed

6. Preventive Measures and Monitoring

Update security baselines to include disabling unnecessary services like the RPC portmapper. Implement checks in CI/CD pipelines to enforce these configurations.

Baselines: Update your Linux hardening baseline (for example, CIS benchmarks) to disable `rpcbind` by default.
Pipelines: Use configuration management tools (Ansible, Puppet, Chef) to ensure the service remains disabled across all systems.
Asset and patch process: Review system configurations regularly as part of a vulnerability management program.

7. Risks, Side Effects, and Roll Back

Disabling the RPC portmapper may impact applications that rely on it. Ensure you have a clear roll back plan in place.

Risk or side effect 1: Applications using RPC services might fail if `rpcbind` is disabled.
Risk or side effect 2: Some network features requiring RPC may become unavailable.
Roll back: Step 1: Enable the `rpcbind` service with `systemctl enable rpcbind`. Step 2: Start the `rpcbind` service with `systemctl start rpcbind`. Step 3: Verify the service is running with `systemctl status rpcbind`.

8. References and Resources

Vendor advisory or bulletin: Red Hat Security Advisory
NVD or CVE entry: CVE-2019-5783
Product or platform documentation relevant to the fix: rpcbind man page

Updated on December 27, 2025

Was this article helpful?

Yes No