CVE-2017-17418 – CVE-2017-17418 is a critical SQL injection vuln... (How to Fix)

Q: What is the severity of CVE-2017-17418?

CVE-2017-17418 has a CVSS score of 9.8 (CRITICAL). CVE-2017-17418 is a critical SQL injection vulnerability in Quest NetVault Backup that allows unauthenticated remote attackers to execute arbitrary SQL commands. This can lead to remote code execution on the underlying database server. All installations of NetVault Backup 11.3.0.12 are affected.

📋 TL;DR

CVE-2017-17418 is a critical SQL injection vulnerability in Quest NetVault Backup that allows unauthenticated remote attackers to execute arbitrary SQL commands. This can lead to remote code execution on the underlying database server. All installations of NetVault Backup 11.3.0.12 are affected.

💻 Affected Systems

Products:

Quest NetVault Backup

Versions: 11.3.0.12

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of the affected version are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Netvault Backup by Quest

View all CVEs affecting Netvault Backup →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the database server leading to data theft, ransomware deployment, and lateral movement to other systems in the network.

🟠

Likely Case

Database compromise leading to backup data theft, credential harvesting, and potential privilege escalation to operating system level.

🟢

If Mitigated

Limited impact with proper network segmentation and database hardening, potentially only affecting the backup application's functionality.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation makes internet-facing instances extremely vulnerable to automated attacks.

🏢 Internal Only: HIGH - Even internal instances are at high risk due to unauthenticated exploitation and potential lateral movement from compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

ZDI published detailed advisory with exploitation details. The vulnerability is in the NVBUPolicy Get method and requires minimal technical skill to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.3.0.13 or later

Vendor Advisory: https://support.quest.com/netvault-backup/kb/293038/quest-netvault-backup-security-vulnerabilities-november-2017

Restart Required: Yes

Instructions:

1. Download the latest version from Quest support portal. 2. Backup current configuration. 3. Stop NetVault Backup services. 4. Install the update. 5. Restart services and verify functionality.

🔧 Temporary Workarounds

Network Access Control

all

Restrict access to NetVault Backup web interface to trusted IP addresses only

# Use firewall rules to restrict access to port 8000/TCP (default)
iptables -A INPUT -p tcp --dport 8000 -s trusted_ip_range -j ACCEPT
iptables -A INPUT -p tcp --dport 8000 -j DROP

Web Application Firewall

all

Deploy WAF with SQL injection protection rules

# Example ModSecurity rule
SecRule ARGS "@detectSQLi" "id:1000,phase:2,deny,status:403,msg:'SQL Injection Attempt'"

🧯 If You Can't Patch

Immediately isolate the NetVault Backup server from internet and restrict network access to only necessary administrative systems
Implement database hardening: use least privilege accounts, enable SQL injection protection features, and monitor for suspicious database queries

🔍 How to Verify

Check if Vulnerable:

Check NetVault Backup version in web interface or installation directory. Version 11.3.0.12 is vulnerable.

Check Version:

On Windows: Check Help > About in NetVault GUI. On Linux: Check /usr/local/quest/netvault/version.txt

Verify Fix Applied:

Verify version is 11.3.0.13 or later. Test SQL injection attempts should be blocked or logged.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts followed by NVBUPolicy requests
Unexpected process creation from database service

Network Indicators:

SQL injection patterns in HTTP requests to /nwapi/NVBUPolicy
Unusual outbound connections from database server
High volume of requests to vulnerable endpoint

SIEM Query:

source="netvault_logs" AND ("NVBUPolicy" AND ("UNION" OR "SELECT" OR "INSERT" OR "DELETE" OR "--" OR "' OR '1'='1"))

📊 Metadata

CVE ID: CVE-2017-17418

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: February 8, 2018

Last Updated: November 21, 2024

🔗 References

https://zerodayinitiative.com/advisories/ZDI-17-983 Third Party Advisory,VDB Entry
https://zerodayinitiative.com/advisories/ZDI-17-983 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-17418, you might also want to check these: