CVE-2017-17416
📋 TL;DR
This is a critical SQL injection vulnerability in Quest NetVault Backup that allows unauthenticated remote attackers to execute arbitrary SQL commands. Attackers can leverage this to execute code in the context of the underlying database, potentially leading to complete system compromise. All installations of Quest NetVault Backup 11.3.0.12 are affected.
💻 Affected Systems
- Quest NetVault Backup
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover via database code execution leading to data theft, ransomware deployment, or lateral movement across the network.
Likely Case
Database compromise leading to backup data exfiltration, credential harvesting, or installation of persistence mechanisms.
If Mitigated
Limited impact with proper network segmentation and database privilege restrictions, potentially only affecting the backup application data.
🎯 Exploit Status
ZDI published detailed advisory with exploitation details. The vulnerability is straightforward to exploit due to lack of authentication requirements.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.3.0.13 or later
Vendor Advisory: https://support.quest.com/netvault-backup/kb/311640/quest-netvault-backup-security-update-for-vulnerabilities
Restart Required: Yes
Instructions:
1. Download the latest patch from Quest support portal. 2. Stop NetVault Backup services. 3. Apply the patch. 4. Restart services. 5. Verify version is 11.3.0.13 or higher.
🔧 Temporary Workarounds
Network Access Control
linuxRestrict network access to NetVault Backup service ports (typically TCP 20031-20034) to only trusted management systems.
Use firewall rules to restrict access: iptables -A INPUT -p tcp --dport 20031:20034 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 20031:20034 -j DROP
Windows Firewall Rules
windowsBlock external access to NetVault Backup ports using Windows Firewall.
New-NetFirewallRule -DisplayName "Block NetVault Ports" -Direction Inbound -LocalPort 20031-20034 -Protocol TCP -Action Block
🧯 If You Can't Patch
- Isolate the NetVault Backup server in a dedicated VLAN with strict access controls
- Implement web application firewall (WAF) rules to block SQL injection patterns targeting the NVBUPhaseStatus GetPlugins endpoint
🔍 How to Verify
Check if Vulnerable:
Check NetVault Backup version in administration console or via registry: HKEY_LOCAL_MACHINE\SOFTWARE\Quest\NetVault\Version on WindowsCheck Version:
On Windows: reg query "HKLM\SOFTWARE\Quest\NetVault" /v Version
On Linux: cat /opt/quest/netvault/version.txtVerify Fix Applied:
Verify version is 11.3.0.13 or higher in administration console or registry📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed authentication attempts followed by SQL errors
- Requests to /NVBUPhaseStatus/GetPlugins with SQL-like patterns
Network Indicators:
- Unusual outbound connections from database server
- SQL injection patterns in HTTP requests to port 20031-20034
SIEM Query:
source="netvault.log" AND ("GetPlugins" AND ("UNION" OR "SELECT" OR "INSERT" OR "DELETE")) OR (source="database.log" AND "netvault" AND "error")