VAST Cluster 5.1 Security

  • Updated on Jan 30, 2026
  • Published on Jan 28, 2026
  • 2 minute(s) read
Prev Next

Following is VAST response to Qualys network vulnerability scans conducted on VAST Cluster 5.1.

Hidden RPC Services

CVE: CVE-1999-0632

Severity: 2

Threat: The Portmapper/Rpcbind listens on port 111 and stores an updated list of registered RPC services running on the server (RPC name, version and port number). It acts as a "gateway" for clients wanting to connect to any RPC daemon.

Applicability: False positive

Justification: Portmapper/rpcbind is a critical service for managing Remote Procedure Call (RPC) processes on Linux systems, essential for enabling network-based services like Network File System (NFS) to function. Portmapper/rpcbind is used to map RPC services to their dynamically assigned ports, allowing client machines to locate and communicate with these services. As a security best practice, we have reviewed and removed all unnecessary RPC services. However, essential services such as NFS, which rely on Portmapper/rpcbind, are retained to maintain necessary system functionality.

"rquotad" RPC Service Present

CVE: CVE-1999-0625

Severity: 2

Threat: The rpc.rquotad service is running on your server. No known vulnerabilities exist for this service; however, it is highly sensitive. Therefore, unless it is required, you should disable this service.

Applicability: True positive

Justification: VAST Cluster uses VAST implementation of rquotad. If rquotad is not needed at a customer's site, it can be disabled by setting the ENABLE_RQUOTAD vsetting to false.

Statd Format Bug Vulnerability

CVE: CVE-2000-0666, CVE-2000-0800

Severity: 5

Threat: The rpc.rquotad service is running on your server. No known vulnerabilities exist for this service; however, it is highly sensitive. Therefore, unless it is required, you should disable this service.

Applicability: False positive

Justification: VAST implementation of the nlockmgr RPC service is not susceptible to this vulnerability.

This vulnerability applies to a specific implementation of  the NFS Network Lock Manager service (nlockmgr) that is distributed along with most common open-source Linux distributions. More specifically, the rpc.statd service in the nfs-utils package in various Linux distributions does not properly cleanse untrusted format strings, which allows remote attackers to obtain root privileges.

VAST Cluster leverages a completely proprietary lock manager that does not use open-source code and is not based on any generally distributed versions of this service where the vulnerability exists. VAST Cluster 5.2 does not have the rpc.statd service running on the cluster.

Related articles