CVE-2017-17424 – CVE-2017-17424 is a critical SQL injection vuln... (How to Fix)

Q: What is the severity of CVE-2017-17424?

CVE-2017-17424 has a CVSS score of 9.8 (CRITICAL). CVE-2017-17424 is a critical SQL injection vulnerability in Quest NetVault Backup that allows unauthenticated remote attackers to execute arbitrary SQL commands. This can lead to remote code execution on the underlying database server. All users running vulnerable versions of NetVault Backup are affected.

📋 TL;DR

CVE-2017-17424 is a critical SQL injection vulnerability in Quest NetVault Backup that allows unauthenticated remote attackers to execute arbitrary SQL commands. This can lead to remote code execution on the underlying database server. All users running vulnerable versions of NetVault Backup are affected.

💻 Affected Systems

Products:

Quest NetVault Backup

Versions: 11.3.0.12 and likely earlier versions

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the NVBUScheduleSet Get method handler and affects default installations.

📦 What is this software?

Netvault Backup by Quest

View all CVEs affecting Netvault Backup →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the database server leading to data theft, destruction, or ransomware deployment across the backup infrastructure.

🟠

Likely Case

Database compromise allowing data exfiltration, privilege escalation, and potential lateral movement to other systems.

🟢

If Mitigated

Limited impact with proper network segmentation and database hardening, though SQL injection would still succeed.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation makes internet-facing instances extremely vulnerable.

🏢 Internal Only: HIGH - Even internal systems are at high risk due to the unauthenticated nature of the vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

ZDI published details and proof-of-concept. The vulnerability is straightforward to exploit due to lack of authentication requirements.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.3.0.13 or later

Vendor Advisory: https://support.quest.com/netvault-backup/kb/293038/netvault-backup-security-vulnerability-notification

Restart Required: Yes

Instructions:

1. Download the latest patch from Quest support portal. 2. Backup current configuration. 3. Apply the patch following vendor instructions. 4. Restart NetVault Backup services. 5. Verify the update was successful.

🔧 Temporary Workarounds

Network Access Control

linux

Restrict access to NetVault Backup ports (typically TCP 20031-20034) to trusted IP addresses only.

Use firewall rules to limit access: iptables -A INPUT -p tcp --dport 20031:20034 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 20031:20034 -j DROP

Network Access Control (Windows)

windows

Restrict access to NetVault Backup ports using Windows Firewall.

New-NetFirewallRule -DisplayName "Block NetVault Ports" -Direction Inbound -LocalPort 20031-20034 -Protocol TCP -Action Block
New-NetFirewallRule -DisplayName "Allow NetVault Ports" -Direction Inbound -LocalPort 20031-20034 -Protocol TCP -Action Allow -RemoteAddress trusted_ip

🧯 If You Can't Patch

Immediately isolate the NetVault Backup server from untrusted networks using firewall rules.
Implement web application firewall (WAF) rules to block SQL injection patterns targeting the NVBUScheduleSet endpoint.

🔍 How to Verify

Check if Vulnerable:

Check NetVault Backup version in the web interface or via the installed software list. Versions 11.3.0.12 and earlier are vulnerable.

Check Version:

On Windows: Check Add/Remove Programs. On Linux: rpm -qa | grep netvault or dpkg -l | grep netvault

Verify Fix Applied:

Verify the version is 11.3.0.13 or later. Test the NVBUScheduleSet endpoint with SQL injection payloads to confirm patching.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed authentication attempts followed by SQL errors
Requests to /NVBUScheduleSet with SQL-like payloads

Network Indicators:

Unusual traffic to NetVault Backup ports (20031-20034) from unexpected sources
SQL error messages in HTTP responses

SIEM Query:

source="netvault.log" AND ("NVBUScheduleSet" AND ("SELECT", "UNION", "OR 1=1", "'--"))

📊 Metadata

CVE ID: CVE-2017-17424

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: February 8, 2018

Last Updated: November 21, 2024

🔗 References

https://zerodayinitiative.com/advisories/ZDI-17-977 Third Party Advisory,VDB Entry
https://zerodayinitiative.com/advisories/ZDI-17-977 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-17424, you might also want to check these: