1. Home
  2. Network Vulnerabilities
  3. How to remediate – RPC Services Enumeration
Searching...

How to remediate – RPC Services Enumeration

Contents

1. Introduction

RPC Services Enumeration refers to the ability to identify ONC RPC services running on a remote host. This can allow attackers to map available services and attempt connections, potentially leading to compromise. Systems running Network File System (NFS) version 2 or 3 are typically affected. A successful exploit could result in information disclosure, service disruption, or remote code execution.

2. Technical Explanation

The vulnerability occurs because the ONC RPC portmapper responds to DUMP requests, revealing a list of running services. An attacker can use this information to attempt connections and potentially exploit weaknesses within those specific services. No CVE is currently associated with this enumeration itself; however, exploitation often targets known vulnerabilities in individual RPC services. For example, an attacker could identify the mountd service and then exploit a buffer overflow vulnerability if present.

  • Root cause: The portmapper service unnecessarily exposes information about running RPC services via the DUMP request functionality.
  • Exploit mechanism: An attacker sends a DUMP request to the portmapper (typically TCP/UDP port 111) and parses the response for available services. They then attempt to connect to those services using appropriate RPC requests.
  • Scope: Affected platforms include systems running ONC RPC, commonly found in older Unix-like operating systems and NFS servers. Specific versions depend on the underlying OS and installed RPC services.

3. Detection and Assessment

You can confirm if a system is vulnerable by checking for an active portmapper service and attempting to enumerate running RPC services. A thorough method involves using a dedicated vulnerability scanner.

  • Quick checks: Use `rpcinfo -p` on Linux/Unix systems to list registered RPC services.
  • Scanning: Nessus plugin ID 10385 can detect exposed ONC RPC services as an example. OpenVAS also has relevant scans.
  • Logs and evidence: Check system logs for connections to port 111 (TCP/UDP). Look for patterns indicating attempts to enumerate RPC services.
rpcinfo -p

4. Solution / Remediation Steps

The best solution is to disable the portmapper service if it’s not required, or restrict access using firewall rules. If the service is needed, ensure all RPC services are up-to-date with the latest security patches.

4.1 Preparation

  • Ensure you have a rollback plan to re-enable the portmapper service if required. Keep a record of current firewall rules.
  • Changes may require a maintenance window, depending on service dependencies and impact. Approval from the systems team is recommended.

4.2 Implementation

  1. Step 1: Stop the portmapper service using `systemctl stop rpcbind` (or equivalent for your OS).
  2. Step 2: Disable the portmapper service to prevent it from starting on boot using `systemctl disable rpcbind`.
  3. Step 3: If the service must remain running, configure firewall rules to restrict access to port 111 to trusted hosts only.

4.3 Config or Code Example

Before

# No firewall rules in place, port 111 is open to all

After

# Firewall rule restricting access to port 111
iptables -A INPUT -p tcp --dport 111 -s  -j ACCEPT
iptables -A INPUT -p udp --dport 111 -s  -j ACCEPT
iptables -A INPUT -p tcp --dport 111 -j DROP
iptables -A INPUT -p udp --dport 111 -j DROP

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help mitigate this vulnerability type.

  • Practice 1: Least privilege – only run essential services and limit their access rights to reduce the impact of a potential compromise.
  • Practice 2: Network segmentation – isolate critical systems from untrusted networks to prevent attackers from reaching vulnerable services directly.

4.5 Automation (Optional)

If suitable, provide a small script or infrastructure code that applies the fix at scale. Only include if safe and directly relevant.

#!/bin/bash
# Check if rpcbind is running
if systemctl is-active --quiet rpcbind; then
  echo "Stopping and disabling rpcbind..."
  systemctl stop rpcbind
  systemctl disable rpcbind
fi

5. Verification / Validation

Confirm the fix by checking that the portmapper service is no longer running and that RPC services are not accessible from external networks.

  • Post-fix check: Run `rpcinfo -p` – it should return nothing or an error indicating the service is unavailable.
  • Re-test: Re-run the initial `rpcinfo -p` command to verify no RPC services are listed.
  • Monitoring: Monitor system logs for attempts to connect to port 111 and alert if unexpected activity is detected.
rpcinfo -p

6. Preventive Measures and Monitoring

Regular security assessments and patch management are crucial preventive measures.

  • Baselines: Update your system baseline to include disabling unnecessary services like portmapper or restricting access via firewall rules.
  • Asset and patch process: Implement a regular patch management cycle for all systems, including timely updates for RPC-related packages.

7. Risks, Side Effects, and Roll Back

Disabling the portmapper service may impact applications relying on NFS functionality.

  • Roll back: Step 1: Re-enable the portmapper service using `systemctl enable rpcbind`. Step 2: Start the portmapper service using `systemctl start rpcbind`.

8. References and Resources

  • Vendor advisory or bulletin: Check your OS vendor’s security advisories for RPC-related vulnerabilities.
  • NVD or CVE entry: Search the NVD database for specific RPC service vulnerabilities that may be exposed by enumeration.
  • Product or platform documentation relevant to the fix: Refer to your OS documentation for instructions on managing and configuring the portmapper service.
Updated on December 27, 2025

Was this article helpful?

Yes No

Related Articles