Rule Category

PROTOCOL-RPC -- Snort has detected traffic that may indicate the presence of the rpc protocol or vulnerabilities in the rpc protocol on the network.

Alert Message

PROTOCOL-RPC Linux kernel nfsd nfsd4_layout_verify out of bounds read attempt

Rule Explanation

This event is generated when Snort detects traffic exploiting an out of bounds read vulnerability in the Linux Kernel nfsd module. Impact: Attempted Denial of Service Details: Ease of Attack:

What To Look For

Known Usage

No public information

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

MITRE ATT&CK Framework

Tactic:

Technique:

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org

CVE

Additional Links

CVE Additional Information

CVE-2017-8797
The NFSv4 server in the Linux kernel before 4.11.3 does not properly validate the layout type when processing the NFSv4 pNFS GETDEVICEINFO or LAYOUTGET operand in a UDP packet from a remote attacker. This type value is uninitialized upon encountering certain error conditions. This value is used as an array index for dereferencing, which leads to an OOPS and eventually a DoS of knfsd and a soft-lockup of the whole system.
Details
Severity Base Score7.5
Impact Score3.6 Exploit Score3.9
Confidentiality ImpactNONE Integrity ImpactNONE
Availability ImpactHIGH Access Vector
Authentication Ease of Access