Original Message:
Sent: 05-16-2024 12:18
From: Juniper_Idiot
Subject: RPC Portmapping on MX204
Sure. Here you go.
The interface xe-0/1/3.25 is the interface that is being scanned.
filter FILTER_CUSTOMER_UDP_PORTS {
term T1 {
from {
destination-address {
X.X.X.X/32;
}
protocol udp;
destination-port [ 80 67 443 1701 123 161 514 179 111 ];
}
then {
log;
discard;
}
}
term T2 {
then accept;
}
}
filter RE-Protect {
term T1 {
from {
source-address {
0.0.0.0/0;
}
source-prefix-list {
MGMT_Net except;
}
destination-port [ ssh https telnet http ntp snmp ];
}
then {
discard;
}
}
term accept_everything_else {
then accept;
}
}
}
set interfaces xe-0/1/3 unit 25 vlan-id 25
set interfaces xe-0/1/3 unit 25 family inet filter input FILTER_CUSTOMER_UDP_PORTS
set interfaces xe-0/1/3 unit 25 family inet address X.X.X.X/27
set interfaces lo0 unit 0 family inet filter input-list MGMT
set interfaces lo0 unit 0 family inet filter input-list FILTER_CUSTOMER_UDP_PORTS
Original Message:
Sent: 05-16-2024 01:16
From: Ulf
Subject: RPC Portmapping on MX204
Hi Matt,
can you please share the filter configuration and how you applied it?
Good examples for such filters can be found at https://www.juniper.net/documentation/en_US/day-one-books/Securing_RouteEngine_v2.pdf
Regards
Ulf
Original Message:
Sent: 05-15-2024 15:50
From: Juniper_Idiot
Subject: RPC Portmapping on MX204
Hello,
I am having an issue with a security vulnerability scanner that is reporting a "RPC Portmapper Information" vulnerability (CVE-1999-0632) with the results listed below.
The result section shows the information received by making an RPC call to the portmapper on the target host. It shows the list of all registered RPC
programs.
SOLUTION:
Check to be sure that the information reported adheres to your security policy.
RESULT:
RPC detected on UDP port 68.
RPC detected on UDP port 514.
RPC detected on UDP port 1701.
RPC detected on UDP port 443.
RPC detected on UDP port 80.
RPC detected on UDP port 161.
RPC detected on UDP port 123.
RPC detected on UDP port 67.
I know that this does not mean that these ports are open and responding to probes. After quite a bit of research, I think I understand how this RPC service is probed and how the response is crafted. But there is not a lot of information on this CVE as it relates to Juniper MX routers. I have found some items regarding the SRX, but that has not helped me. Has anyone else dealt with this and know how to keep this from responding. I have created filter rules for all of the above and port 111 and applied to the public facing interface and the loopback interface, but that has not helped either.
Any help is appreciated.
Thanks
Matt