Solaris XDR RPC Request Handling RCE (April 2017 CPU) (EBBISLAND / EBBSHAVE)

critical Nessus Plugin ID 103532


The remote Solaris host is affected by a remote code execution vulnerability.


Nessus was able to execute shellcode and run a system command on the remote Solaris host. Solaris 6, 7, 8, 9, and 10 are affected by a remote code execution vulnerability in the XDR RPC service due to an overflow condition caused by improper validation of user-supplied input when handling RPC requests. An unauthenticated, remote attacker can exploit this, via a specially crafted RPC request, to execute arbitrary code.

EBBISLAND / EBBSHAVE is one of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/08 by a group known as the Shadow Brokers.


Upgrade to Solaris 11 or later. Alternatively, upgrade to Solaris 10 Update 11, or upgrade to Solaris 10 and apply any kernel patch released after 2012/01/26.

See Also

Plugin Details

Severity: Critical

ID: 103532

File Name: rpc_ebbshave.nbin

Version: 1.58

Type: remote

Family: RPC

Published: 9/28/2017

Updated: 5/20/2024

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information


Risk Factor: Critical

Score: 9.2


Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C


Risk Factor: Critical

Base Score: 10

Temporal Score: 9.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:oracle:solaris

Required KB Items: Host/OS, rpc/portmap

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Patch Publication Date: 4/18/2017

Vulnerability Publication Date: 4/8/2017

Exploitable With


Reference Information

CVE: CVE-2017-3623

BID: 97778