What is it?
Portmapper, also known as Remote Procedure Call Bind (RPCBind), is a mechanism where Internet address ports can be assigned as a program running on a remote computer to act as if it is running on the local computer. RPCBind runs on port 111 and dates back to 1991. Although portmapper has many uses, the most well known is Network File System (NFS) which allows files on one computer to be accessed by another computer as if they were local.
Any program can be written to allow exposure to its services via Portmapper/RPCBind, which can then be used in a Denial of Service attack, when an attacker tries to overwhelm a victim’s server by flooding it with requests. In a Distributed Denial of Service (DDoS) attack, the attacker uses an army of unwitting third party servers to all attack the victim at the same time.
Why is it a risk?
Each program written to expose its services via Portmapper might contain bugs. Each of these bugs represents a vulnerability.
Portmapper vulnerabilities are extremely common; they are difficult to detect and resolve. Because they are low risk (only the services that advertise themselves can be accessed), they are often overlooked or ignored.
There are literally dozens of vulnerabilities associated with portmapper/rpcbind, each affecting a specific program and exposing a subset of information.
In 2015, the first Distributed Denial of Service (DDoS) attack using Portmapper was exposed.
How can you mitigate the risk?
Because Portmapper is so ubiquitous (and useful) it’s not easy to shut down Portmapper entirely.
As a compromise, you can write firewall rules that will only allow Portmapper to be used inside your local area network or to allow access only from specific IP addresses.
Simply closing port 111 in a firewall rule is not enough because attackers maintain lists of services that are likely to be running on particular ports.
Resources:
GeeksForGeeks RPC Explained
https://www.geeksforgeeks.org/remote-procedure-call-rpc-in-operating-system/
