The EMC Legato NetWorker PortMapper allows remote access to
pmap_unset. This could allow a remote attacker to cause a denial of service or potentially to eavesdrop on communications between NetWorker programs.
EMC Legato NetWorker is a cross-platform backup and recovery application. It is also repackaged by Sun Microsystems as Solstice Backup and StorEdge Enterprise Backup, by FSC as Fujitsu Siemens Computers' NetWorker, by NEC as WebSAM NetWorker Powered by Legato, and by Fujitsu as NetWorker.
The Legato PortMapper, also known as
lgtomapper, is a service that listens on port 7938 and converts RPC program numbers into TCP or UDP protocol port numbers. The RPC
pmap_set command can be used to map a remote procedure call to a port.
pmap_unset destroys the mappings between a remote procedure call and a port.
With most portmapper implementations, the
pmap_unset calls are restricted in ways such as only allowing connections from
localhost. The Legato PortMapper allows any host to call
pmap_unset. This may allow a remote, unauthenticated attacker to unregister existing NetWorker RPC services or register new RPC services.
A remote unauthenticated attacker may be able to create a denial-of-service condition by unregistering NetWorker services. An attacker may be able to eavesdrop on NetWorker process communications by registering a new RPC service.
Apply a patch or upgrade
Apply a patch or upgrade, as specified in the EMC Legato Technical Product Alert.
Sun Solstice Backup and StorEdge Enterprise Backup customers should see Sun Alert 101866 for patch availability.
You may wish to block access to the vulnerable software from outside your network perimeter, specifically by blocking access to the ports used by NetWorker (typically TCP and UDP ports 7937-9936). This will limit your exposure to attacks. However, blocking at the network perimeter would still allow attackers within the perimeter of your network to exploit the vulnerability. The use of host-based firewalls in addition to network-based firewalls can help restrict access to specific hosts within the network. It is important to understand your network's configuration and service requirements before deciding what changes are appropriate.
Vendor| Status| Date Notified| Date Updated
EMC Software| | 03 Jun 2005| 16 Aug 2005
Fujitsu Limited| | 15 Aug 2005| 24 Aug 2005
NEC| | 15 Aug 2005| 24 Aug 2005
Sun Microsystems, Inc.| | 12 Jul 2005| 19 Sep 2005
If you are a vendor and your product is affected, let us know.
Group | Score | Vector
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A
Thanks to the NOAA NCIRT Lab for reporting this vulnerability.
This document was written by Will Dormann.