Rule:--Sid:2185--Summary:This event is generated when an attempt is made to exploit a known vulnerability in the xlog function of certain Linux NFS Utils packages.Specifically this event is generated when UDP is used as the attack medium.--Impact:Denial of Service (DoS), possible arbitrary code execution.--Detailed Information:The mountd Remote Procedure Call (RPC) implements the NFS mount protocol. A vulnerability exists in some versions of the Linux NFS Utilities package prior to 1.0.4 that can lead to the possible execution of arbitrary code or a DoS against the affected server.A programming error in the xlog function may be exploited by an attacker by sending RPC requests to mountd that do not contain any newline characters. This causes a buffer to overflow thus presenting the attacker with the opportunity to execute code.--Affected Systems:Systems using Linux NFS Utils prior to version 1.0.4.--Attack Scenarios:An attacker may send a specially crafted RPC request that does not contain any newline characters to the NFS server via TCP or UDP.--Ease of Attack:Moderate.--False Positives:None known.--False Negatives:None known.--Corrective Action:Limit remote access to RPC services.Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. Disable unneeded RPC services.Upgrade to the latest non-affected version of the software.Apply the appropriate vendor supplied patches.--Contributors:Sourcefire Vulnerability Research TeamBrian Caswell <bmc@sourcefire.com>Nigel Houghton <nigel.houghton@sourcefire.com>--Additional References:--