RPC Statd contents.gifindex.gif

RPC Statd

A remote rpc.lockd can provide false information to the rpc.statd file, allowing a file to be removed or created.

RPC statd maintains state information in cooperation with RPC lockd, to provide crash and recovery functionality for file locking across NFS. Because statd does not validate the information it receives from the remote lockd, an intruder can send a remote procedure call, resulting in the creation or removal of any file on the system.

The scan engine attempts to create a file in /tmp using these calls. If the file is created, the machine is vulnerable to attack. Most machines presently running NFS can allow removal of a file remotely. The scan engine can only determine if statd is possibly vulnerable to the attack. To conclusively determine a system's vulnerability before patching it, check the system for the file /tmp/statd-vulnerable. If this file exists after a scan, the machine is vulnerable to attack.

Risk: Medium

Fix: Contact your vendor for a patch.

Advisory: CA-96.09.rpc.statd