EN
Русский
TCP
Dangerous
Other
Port 111 (RPCbind)
Learn about port 111 (RPCbind) - security risks, vulnerabilities, and common uses. Find devices with port 111 open.
Quick Info
Port Number
111
Protocol
TCP
Service
RPCbind
IANA Name
RPCbind
Service Description
Port 111, commonly associated with RPCbind (also known as Portmapper), is a crucial service in Unix-like operating systems that facilitates dynamic port allocation for Remote Procedure Call (RPC) services. RPCbind acts as a directory service, mapping RPC program numbers to the dynamically assigned TCP or UDP ports on which these services are listening. When an RPC client wants to communicate with an RPC service, it first contacts RPCbind on port 111 to determine the port number the desired service is using. The client then connects directly to the service on the port provided by RPCbind. Historically, RPCbind was essential for the functioning of many network services, allowing them to operate without pre-defined, static port assignments, improving flexibility and resource utilization.
The RPCbind service operates by listening for incoming requests on port 111, typically using both TCP and UDP protocols. When a service starts, it registers itself with RPCbind, providing its program number and the port it is listening on. Clients querying RPCbind send a request specifying the RPC program number they wish to connect to. RPCbind then responds with the corresponding port number. This dynamic port assignment allows multiple RPC services to share the same server without conflicting port assignments. The RPCbind protocol itself is relatively simple, involving structured messages for registration, lookup, and deregistration of RPC services. In modern systems, more secure alternatives to RPCbind, such as systemd socket activation, are often preferred for managing RPC services, but RPCbind remains prevalent in older systems and certain network environments.
## Firewall Recommendations
In most cases, port 111 (RPCbind) should be blocked from external networks and only allowed for internal communication within a trusted network segment. If RPC services are required externally, consider using a VPN or other secure tunneling mechanism to protect the traffic. If RPCbind must be exposed, implement strict access controls, using firewall rules to limit access to only authorized IP addresses or networks. Regularly patch RPCbind and related libraries (e.g., libtirpc) to address known vulnerabilities. Consider replacing RPCbind with more secure alternatives, such as systemd socket activation, where feasible. Monitor RPCbind logs for suspicious activity, such as excessive lookup requests or registration attempts from unauthorized sources. Use tcpdump or Wireshark to analyze network traffic on port 111 for anomalies.
The RPCbind service operates by listening for incoming requests on port 111, typically using both TCP and UDP protocols. When a service starts, it registers itself with RPCbind, providing its program number and the port it is listening on. Clients querying RPCbind send a request specifying the RPC program number they wish to connect to. RPCbind then responds with the corresponding port number. This dynamic port assignment allows multiple RPC services to share the same server without conflicting port assignments. The RPCbind protocol itself is relatively simple, involving structured messages for registration, lookup, and deregistration of RPC services. In modern systems, more secure alternatives to RPCbind, such as systemd socket activation, are often preferred for managing RPC services, but RPCbind remains prevalent in older systems and certain network environments.
## Firewall Recommendations
In most cases, port 111 (RPCbind) should be blocked from external networks and only allowed for internal communication within a trusted network segment. If RPC services are required externally, consider using a VPN or other secure tunneling mechanism to protect the traffic. If RPCbind must be exposed, implement strict access controls, using firewall rules to limit access to only authorized IP addresses or networks. Regularly patch RPCbind and related libraries (e.g., libtirpc) to address known vulnerabilities. Consider replacing RPCbind with more secure alternatives, such as systemd socket activation, where feasible. Monitor RPCbind logs for suspicious activity, such as excessive lookup requests or registration attempts from unauthorized sources. Use tcpdump or Wireshark to analyze network traffic on port 111 for anomalies.
Security Information
RPCbind, due to its role as a central directory for RPC services, has historically been a significant security target. Its accessibility allows attackers to enumerate available RPC services, potentially identifying vulnerable applications or misconfigured services. Open RPCbind services, especially those exposed to the internet, can be exploited to launch denial-of-service (DoS) attacks, by flooding the service with lookup requests. Furthermore, vulnerabilities in RPCbind itself can allow attackers to register malicious services or redirect traffic to unintended targets. Because RPCbind often runs with elevated privileges (typically root), successful exploitation can lead to complete system compromise. Attackers often scan for open port 111 to identify potential targets for further exploitation. The dynamic nature of RPC can also make it challenging to secure, as the ports used by RPC services can change, requiring careful firewall configuration and monitoring.
Known Vulnerabilities
| CVE | Name | Severity | Description |
|---|---|---|---|
| CVE-2016-4992 | glibc: getaddrinfo() stack-based buffer overflow | High | A stack-based buffer overflow vulnerability exists in the getaddrinfo() function in glibc, which can be triggered by RPCbind when handling long hostnames. This can lead to arbitrary code execution. |
| CVE-2016-8655 | libtirpc: Off-by-one heap overflow in svcunix.c | High | An off-by-one heap overflow vulnerability exists in libtirpc's svcunix.c, affecting RPCbind. This could lead to denial of service or potentially arbitrary code execution. |
| CVE-2017-8779 | rpcbind: Information disclosure vulnerability | Medium | An information disclosure vulnerability exists in rpcbind, potentially allowing attackers to gather sensitive information about registered services. |
| CVE-2019-14835 | libtirpc: Heap-based buffer over-read in rpc_buffer | Medium | A heap-based buffer over-read vulnerability exists in libtirpc, which can be triggered by RPCbind processing crafted RPC requests. This can lead to denial of service or information disclosure. |
Malware Associations
- Stacheldraht (used port 111 for coordination)
- Some variants of DDoS botnets may scan for open RPCbind services to exploit known vulnerabilities or launch amplification attacks.
Common Software
- NFS (Network File System)
- NIS (Network Information Service)
- rpc.statd
- rpc.mountd
- rpc.nfsd
- rpc.lockd
- ypbind
- Various other RPC-based applications
Find all devices with port 111 open
ScaniteX scans millions of IPs to find devices with specific ports open. Perfect for security research and network auditing.
Start Mass Scanning