CVE-2016-0913
📋 TL;DR
This vulnerability allows remote Replication Manager servers to execute arbitrary commands on affected systems by placing a crafted script in an SMB share. It affects EMC Replication Manager, EMC Network Module for Microsoft, and EMC Networker Module for Microsoft installations. Attackers can achieve remote code execution without authentication.
💻 Affected Systems
- EMC Replication Manager (RM)
- EMC Network Module for Microsoft
- EMC Networker Module for Microsoft
📦 What is this software?
Networker Module For Microsoft Applications by Emc
View all CVEs affecting Networker Module For Microsoft Applications →
Networker Module For Microsoft Applications by Emc
View all CVEs affecting Networker Module For Microsoft Applications →
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with administrative privileges, data exfiltration, ransomware deployment, and lateral movement across the network.
Likely Case
Remote code execution leading to data theft, installation of backdoors, or disruption of backup/replication services.
If Mitigated
Limited impact due to network segmentation, restricted SMB share access, and proper patch management.
🎯 Exploit Status
Exploitation involves placing a crafted script in an accessible SMB share, which is then executed by the vulnerable client.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: RM 5.5.3.0_01-PatchHotfix, Networker Module for Microsoft 8.2.3.6
Vendor Advisory: http://seclists.org/bugtraq/2016/Oct/6
Restart Required: Yes
Instructions:
1. Download the appropriate patch from EMC support. 2. Apply the patch to all affected systems. 3. Restart the Replication Manager services. 4. Verify the patch installation.
🔧 Temporary Workarounds
Restrict SMB Share Access
windowsLimit access to SMB shares used by Replication Manager to trusted RM servers only.
Use Windows Firewall or network ACLs to restrict SMB (ports 139, 445) access to specific IP addresses.
Disable Unnecessary SMB Shares
windowsDisable SMB shares that are not required for Replication Manager operations.
Remove or disable SMB shares via Windows Server Manager or PowerShell: Remove-SmbShare -Name ShareName
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Replication Manager systems from untrusted networks.
- Monitor SMB share access logs for unauthorized script placement or execution attempts.
🔍 How to Verify
Check if Vulnerable:
Check the installed version of EMC Replication Manager or Networker Module against the affected version ranges.Check Version:
Check the software version in the Replication Manager console or via Windows Programs and Features.Verify Fix Applied:
Verify that the patch version is installed and that SMB share access is properly restricted.📡 Detection & Monitoring
Log Indicators:
- Unusual SMB file writes to Replication Manager shares
- Execution of unexpected scripts or commands from SMB locations
- Failed authentication attempts to SMB shares
Network Indicators:
- SMB traffic from untrusted sources to Replication Manager systems
- Unusual outbound connections following SMB file placement
SIEM Query:
source="windows" AND event_id=5145 AND share_name="*Replication*" AND relative_target="*.ps1" OR "*.bat"