Solaris XDR RPC Request Handling RCE (April 2017 CPU) (EBBISLAND / EBBSHAVE)

Critical Nessus Plugin ID 103532


The remote Solaris host is affected by a remote code execution vulnerability.


Nessus was able to execute shellcode and run a system command on the remote Solaris host. Solaris 6, 7, 8, 9, and 10 are affected by a remote code execution vulnerability in the XDR RPC service due to an overflow condition caused by improper validation of user-supplied input when handling RPC requests. An unauthenticated, remote attacker can exploit this, via a specially crafted RPC request, to execute arbitrary code.

EBBISLAND / EBBSHAVE is one of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/08 by a group known as the Shadow Brokers.


Upgrade to Solaris 11 or later. Alternatively, upgrade to Solaris 10 Update 11, or upgrade to Solaris 10 and apply any kernel patch released after 2012/01/26.

See Also

Plugin Details

Severity: Critical

ID: 103532

File Name: rpc_ebbshave.nbin

Version: $Revision: 1.4 $

Type: remote

Family: RPC

Published: 2017/09/28

Modified: 2018/01/29

Dependencies: 10223, 53335, 11936

Risk Information

Risk Factor: Critical


Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C


Base Score: 10

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/o:oracle:solaris

Required KB Items: Host/OS, rpc/portmap

Exploited by Nessus: true

Patch Publication Date: 2017/04/18

Vulnerability Publication Date: 2017/04/08

Reference Information

CVE: CVE-2017-3623

BID: 97778

OSVDB: 155611