Think you have a false positive on this rule?

Sid 1-2019

Message

PROTOCOL-RPC mountd UDP dump request

Summary

The RPC service mountd enables clients to connect to networked file dismounted via UDP.

Impact

Denial of network resources to users on the local area network.

Detailed information

This may be an attempt to deny access to network resources from an unauthorized source. It may also be indicative of an attacker probing for RPC services on a host in an attempt to discover a possible entry point to network resources via a vulnerable daemon.

Affected systems

  • All systems allowing network shares to be unmounted by anonymous hosts,
  • all systems allowing RPC services to be stopped by ordinary users and
  • systems already compromised by an attacker via another vulnerability.

Ease of attack

Simple

False positives

None Known

False negatives

None Known

Corrective action

When allowing hosts to mount an external network share, consider using a hosts.allow file.

Do not allow shares to be unmounted by unauthorized hosts or users.

RPC services should not be available outside the local area network, filter RPC ports at the firewall to ensure access is denied to RPC enabled machines.

RPC services should also be disabled where not needed.

Contributors

  • Cisco Talos
  • Brian Caswell
  • Nigel Houghton

Additional References