CVE-2017-17654 – CVE-2017-17654 is a critical SQL injection vuln... (How to Fix)

Q: What is the severity of CVE-2017-17654?

CVE-2017-17654 has a CVSS score of 9.8 (CRITICAL). CVE-2017-17654 is a critical SQL injection vulnerability in Quest NetVault Backup that allows unauthenticated remote attackers to execute arbitrary SQL commands. This can lead to remote code execution on the underlying database server. All installations of Quest NetVault Backup 11.3.0.12 are affected.

📋 TL;DR

CVE-2017-17654 is a critical SQL injection vulnerability in Quest NetVault Backup that allows unauthenticated remote attackers to execute arbitrary SQL commands. This can lead to remote code execution on the underlying database server. All installations of Quest NetVault Backup 11.3.0.12 are affected.

💻 Affected Systems

Products:

Quest NetVault Backup

Versions: 11.3.0.12

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable. The NVBUBackup service listens on TCP port 20031 by default.

📦 What is this software?

Netvault Backup by Quest

View all CVEs affecting Netvault Backup →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the database server leading to data theft, system takeover, and lateral movement to other systems.

🟠

Likely Case

Database compromise leading to backup data theft, credential harvesting, and potential ransomware deployment.

🟢

If Mitigated

Limited impact with proper network segmentation and database hardening, though SQL injection would still succeed.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation makes internet-facing instances extremely vulnerable.

🏢 Internal Only: HIGH - Even internal systems are vulnerable to any network-accessible attacker.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

ZDI published detailed advisory with exploitation details. The vulnerability is in the ClientList method of the NVBUBackup service.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.3.0.13 or later

Vendor Advisory: https://support.quest.com/netvault-backup/kb/293038/netvault-backup-security-vulnerabilities-november-2017

Restart Required: Yes

Instructions:

1. Download and install Quest NetVault Backup 11.3.0.13 or later from Quest support portal. 2. Stop all NetVault services. 3. Apply the update. 4. Restart services.

🔧 Temporary Workarounds

Network Access Control

all

Restrict access to NetVault Backup service port (default TCP 20031) to trusted management networks only.

# Windows: netsh advfirewall firewall add rule name="Block NetVault" dir=in action=block protocol=TCP localport=20031
# Linux: iptables -A INPUT -p tcp --dport 20031 -j DROP

Database Hardening

all

Apply principle of least privilege to database accounts used by NetVault Backup.

-- SQL: REVOKE EXECUTE ON xp_cmdshell FROM [netvault_user];
-- SQL: DENY CONTROL SERVER TO [netvault_user];

🧯 If You Can't Patch

Implement strict network segmentation to isolate NetVault Backup servers from untrusted networks
Deploy web application firewall (WAF) with SQL injection protection rules in front of the service

🔍 How to Verify

Check if Vulnerable:

Check if NetVault Backup version is 11.3.0.12. Test for SQL injection by sending crafted requests to TCP port 20031.

Check Version:

# Windows: reg query "HKLM\SOFTWARE\Quest Software\NetVault Backup" /v Version
# Linux: cat /opt/quest/netvault/version.txt

Verify Fix Applied:

Verify version is 11.3.0.13 or later. Attempt SQL injection test to confirm it's blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in NetVault logs
Failed authentication attempts followed by SQL syntax errors
Unexpected database queries from NetVault service account

Network Indicators:

SQL keywords in requests to port 20031
Unusual outbound connections from database server
Multiple rapid requests to ClientList endpoint

SIEM Query:

source="netvault.log" AND ("SQL" OR "syntax" OR "xp_cmdshell")

📊 Metadata

CVE ID: CVE-2017-17654

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: February 8, 2018

Last Updated: November 21, 2024

🔗 References

https://zerodayinitiative.com/advisories/ZDI-17-990 Third Party Advisory,VDB Entry
https://zerodayinitiative.com/advisories/ZDI-17-990 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-17654, you might also want to check these: