cancel
Showing results for 
Search instead for 
Did you mean: 

nmap breaks lockd

Dan Crossman
Advisor

nmap breaks lockd

Hi all-

It seems a simple nmap scan can break lockd on HP-UX 11.31 with Sept2012 quality patches.
Running ServiceGuard 11.19 on Itanium with NFS toolkit.
This is easily reproducable on numerous servers and has recently caused a major disruption with our customers.
A search for critical fixes came up empty. Patch assesment came up empty also.

 

FEATURE11i B.11.31.1209.383a Feature Enablement Patches for HP-UX 11i v3, September 2012
HWEnable11i B.11.31.1209.383a Hardware Enablement Patches for HP-UX 11i v3, September 2012
QPKAPPS B.11.31.1209.383 Applications Patches for HP-UX 11i v3, September 2012
QPKBASE B.11.31.1209.383 Base Quality Pack Bundle for HP-UX 11i v3, September 2012
T1905CA A.11.19.00 Serviceguard
B5140BA A.11.31.06 Serviceguard NFS Toolkit


# nmap foobie
Starting Nmap 5.21 ( http://nmap.org ) at 2013-02-06 07:48 PST
Nmap scan report for xxx.xxx.xxx.xxx
Host is up (0.000086s latency).
Not shown: 984 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
111/tcp open rpcbind
113/tcp open auth
135/tcp open msrpc
515/tcp open printer
587/tcp open submission
901/tcp open samba-swat
2049/tcp open nfs
2121/tcp open ccproxy-ftp
2301/tcp open compaqdiag
4045/tcp open lockd
5555/tcp open freeciv
5666/tcp open nrpe
5989/tcp open unknown
49152/tcp open unknown

 

 

Here is the output from syslog.log at the moment of nmap scan:

# tail -f /var/log/syslog/syslog.log
Feb 6 07:40:44 foobie nfs4cbd[1106]: t_accept(file descriptor 6/transport tcp) TLI error 6
Feb 6 07:40:44 foobie vmunix: WARNING: hpsol_strioctl(): TI_GETPEERNAME failed, T_ADDR_REQ fail error = ENOTCONN.
Feb 6 07:40:44 foobie vmunix:
Feb 6 07:40:44 foobie /usr/sbin/nfsd[2612]: unable to register with kernel rpc: Socket is not connected
Feb 6 07:40:44 foobie /usr/sbin/rpc.lockd[1087]: t_accept(file descriptor 7/transport tcp) TLI error 0

 


As you can see, lockd over tcp effectivly shuts down:

 

# rpcinfo -T tcp foobie nlockmgr
rpcinfo: RPC: Program not registered

 

UDP seems unaffected:

 

# rpcinfo -T udp foobie nlockmgr
program 100021 version 1 ready and waiting
program 100021 version 2 ready and waiting
program 100021 version 3 ready and waiting
program 100021 version 4 ready and waiting


Is HP aware of this vulnerability?

Thanks for your advice.

 

 

P.S.This thread has been moved from HP-UX >General to HP-UX > networking- HP Forums Moderator

 

1 REPLY
Laurent Menase
Honored Contributor

Re: nmap breaks lockd

this should be asked to support or security-alerthp.com

 

Else you'll find it in

http://bizsupport2.austin.hp.com/bc/docs/support/SupportManual/c03469761/c03469761.pdf

 

Update to the last ONCplus ( B.11.31.15) should work well for you.