Solaris XDR RPC Request Handling RCE (April 2017 CPU) (EBBISLAND / EBBSHAVE)

Critical Nessus Plugin ID 103532

Synopsis

The remote Solaris host is affected by a remote code execution vulnerability.

Description

Nessus was able to execute shellcode and run a system command on the remote Solaris host. Solaris 6, 7, 8, 9, and 10 are affected by a remote code execution vulnerability in the XDR RPC service due to an overflow condition caused by improper validation of user-supplied input when handling RPC requests. An unauthenticated, remote attacker can exploit this, via a specially crafted RPC request, to execute arbitrary code.

EBBISLAND / EBBSHAVE is one of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/08 by a group known as the Shadow Brokers.

Solution

Upgrade to Solaris 11 or later. Alternatively, upgrade to Solaris 10 Update 11, or upgrade to Solaris 10 and apply any kernel patch released after 2012/01/26.

See Also

http://www.nessus.org/u?9b84a0bd

http://www.nessus.org/u?3ee03e31

Plugin Details

Severity: Critical

ID: 103532

File Name: rpc_ebbshave.nbin

Version: 1.22

Type: remote

Family: RPC

Published: 2017/09/28

Updated: 2019/04/10

Dependencies: 11936, 53335, 10223

Risk Information

Risk Factor: Critical

CVSS v2.0

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSS v3.0

Base Score: 10

Temporal Score: 9.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:oracle:solaris

Required KB Items: Host/OS, rpc/portmap

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Patch Publication Date: 2017/04/18

Vulnerability Publication Date: 2017/04/08

Exploitable With

CANVAS (CANVAS)

Reference Information

CVE: CVE-2017-3623

BID: 97778