Junos OS

 View Only
last person joined: 16 hours ago 

Ask questions and share experiences about Junos OS.
  • 1.  RPC Portmapping on MX204

    Posted 05-15-2024 15:50

    Hello,

    I am having an issue with a security vulnerability scanner that is reporting a "RPC Portmapper Information" vulnerability (CVE-1999-0632) with the results listed below.

    The result section shows the information received by making an RPC call to the portmapper on the target host. It shows the list of all registered RPC

    programs.

    SOLUTION:

    Check to be sure that the information reported adheres to your security policy.

    RESULT:

    RPC detected on UDP port 68.

    RPC detected on UDP port 514.

    RPC detected on UDP port 1701.

    RPC detected on UDP port 443.

    RPC detected on UDP port 80.

    RPC detected on UDP port 161.

    RPC detected on UDP port 123.

    RPC detected on UDP port 67.

    I know that this does not mean that these ports are open and responding to probes. After quite a bit of research, I think I understand how this RPC service is probed and how the response is crafted. But there is not a lot of information on this CVE as it relates to Juniper MX routers. I have found some items regarding the SRX, but that has not helped me. Has anyone else dealt with this and know how to keep this from responding. I have created filter rules for all of the above and port 111 and applied to the public facing interface and the loopback interface, but that has not helped either.

    Any help is appreciated.

    Thanks

    Matt



  • 2.  RE: RPC Portmapping on MX204

     
    Posted 05-16-2024 01:16

    Hi Matt,

    can you please share the filter configuration and how you applied it?

    Good examples for such filters can be found at https://www.juniper.net/documentation/en_US/day-one-books/Securing_RouteEngine_v2.pdf

    Regards

    Ulf




  • 3.  RE: RPC Portmapping on MX204

    Posted 05-16-2024 12:19

    Sure. Here you go.

    The interface xe-0/1/3.25 is the interface that is being scanned.

     filter FILTER_CUSTOMER_UDP_PORTS {
            term T1 {
                from {
                    destination-address {
                        X.X.X.X/32;
                    }
                    protocol udp;
                    destination-port [ 80 67 443 1701 123 161 514 179 111 ];
                }
                then {
                    log;
                    discard;
                }
            }
            term T2 {
                then accept;
            }
        }
        filter RE-Protect {
            term T1 {
                from {
                    source-address {
                        0.0.0.0/0;
                    }
                    source-prefix-list {
                        MGMT_Net except;
                    }
                    destination-port [ ssh https telnet http ntp snmp ];
                }
                then {
                    discard;
                }
            }
            term accept_everything_else {
                then accept;
            }
        }
    }

    set interfaces xe-0/1/3 unit 25 vlan-id 25
    set interfaces xe-0/1/3 unit 25 family inet filter input FILTER_CUSTOMER_UDP_PORTS
    set interfaces xe-0/1/3 unit 25 family inet address X.X.X.X/27

    set interfaces lo0 unit 0 family inet filter input-list MGMT
    set interfaces lo0 unit 0 family inet filter input-list FILTER_CUSTOMER_UDP_PORTS



  • 4.  RE: RPC Portmapping on MX204
    Best Answer

     
    Posted 05-19-2024 11:44

    Hi,

    several notes:

    1. I suppose you'd want all interface to be protected, right? For that it's most straightforward to just apply a filter to lo0 (and remove the one on the interface to avoid confusion).
    2. That way you can also do without the "from destination-address" statement
    3. The filter RE-Protect exists, but is not applied ...
    4. (most important:) there is more than one filter applied to lo0 (as a list), and "FILTER_CUSTOMER_UDP_PORTS" is applied second. So if MGMT has already permitted the packets in question, then it's too late / your filter won't even get to evaluate these packets.