Login Sign Up

CVE-2017-17420

9.8 CRITICAL
Remote Code Execution SQL Injection

📋 TL;DR

This is a critical SQL injection vulnerability in Quest NetVault Backup that allows unauthenticated remote attackers to execute arbitrary SQL commands. Attackers can leverage this to execute arbitrary code in the context of the underlying database server. All installations of Quest NetVault Backup 11.3.0.12 are affected.

💻 Affected Systems

Products:
  • Quest NetVault Backup
Versions: 11.3.0.12
Operating Systems: Windows, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: All installations of the affected version are vulnerable by default. No special configuration required.

📦 What is this software?

Netvault Backup by Quest

View all CVEs affecting Netvault Backup →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via remote code execution, data theft, and potential lateral movement within the network.

🟠

Likely Case

Database compromise leading to data exfiltration, privilege escalation, and potential ransomware deployment.

🟢

If Mitigated

Limited impact with proper network segmentation, but still significant risk to the database server.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation makes internet-facing systems extremely vulnerable.
🏢 Internal Only: HIGH - Even internal systems are at high risk due to unauthenticated exploitation.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

ZDI published detailed advisory with exploitation details. The vulnerability is easily exploitable with standard SQL injection techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.3.0.13 or later

Vendor Advisory: https://support.quest.com/netvault-backup/kb/293038/netvault-backup-security-vulnerabilities-november-2017

Restart Required: Yes

Instructions:

1. Download the latest patch from Quest support portal. 2. Backup current configuration. 3. Apply the patch following vendor instructions. 4. Restart NetVault Backup services.

🔧 Temporary Workarounds

Network Segmentation

all

Block external access to NetVault Backup web interface (default port 8000)

iptables -A INPUT -p tcp --dport 8000 -j DROP
netsh advfirewall firewall add rule name="Block NetVault" dir=in action=block protocol=TCP localport=8000

Web Application Firewall

all

Deploy WAF with SQL injection protection rules

🧯 If You Can't Patch

  • Immediately isolate the NetVault Backup server from internet and restrict internal access to authorized IPs only
  • Implement strict network monitoring and alerting for SQL injection attempts on port 8000

🔍 How to Verify

Check if Vulnerable:

Check NetVault Backup version in web interface or via command line: nvbackup --version

Check Version:

nvbackup --version

Verify Fix Applied:

Verify version is 11.3.0.13 or later and test SQL injection attempts are blocked

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed authentication attempts followed by SQL errors
  • Requests to /nvbackup/ with SQL injection patterns

Network Indicators:

  • Unusual traffic to port 8000 with SQL keywords in payloads
  • Outbound database connections from NetVault server to unexpected destinations

SIEM Query:

source="netvault.log" AND ("SQL" OR "injection" OR "NVBUJobCountHistory")

📊 Metadata

CVE ID: CVE-2017-17420
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: February 8, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-17420, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)