CVE-2017-17656 – CVE-2017-17656 is a critical SQL injection vuln... (How to Fix)

Q: What is the severity of CVE-2017-17656?

CVE-2017-17656 has a CVSS score of 9.8 (CRITICAL). CVE-2017-17656 is a critical SQL injection vulnerability in Quest NetVault Backup that allows unauthenticated remote attackers to execute arbitrary SQL commands. This can lead to remote code execution on the underlying database server. All installations of Quest NetVault Backup 11.3.0.12 are affected.

📋 TL;DR

CVE-2017-17656 is a critical SQL injection vulnerability in Quest NetVault Backup that allows unauthenticated remote attackers to execute arbitrary SQL commands. This can lead to remote code execution on the underlying database server. All installations of Quest NetVault Backup 11.3.0.12 are affected.

💻 Affected Systems

Products:

Quest NetVault Backup

Versions: 11.3.0.12

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable. The vulnerability exists in the NVBUBackup JobList method handler.

📦 What is this software?

Netvault Backup by Quest

View all CVEs affecting Netvault Backup →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via remote code execution, data theft, and lateral movement within the network.

🟠

Likely Case

Database compromise leading to data exfiltration, backup corruption, and potential ransomware deployment.

🟢

If Mitigated

Limited to database-level impact if proper network segmentation and database permissions are enforced.

🌐 Internet-Facing: HIGH - No authentication required and exploit is straightforward.

🏢 Internal Only: HIGH - Even internal systems are vulnerable to network-accessible attacks.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit code is publicly available and requires no authentication. The vulnerability was part of ZDI-CAN-4292.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.3.0.13 or later

Vendor Advisory: https://support.quest.com/netvault-backup/kb/293640/quest-netvault-backup-security-vulnerabilities-november-2017

Restart Required: Yes

Instructions:

1. Download the latest patch from Quest support portal. 2. Stop NetVault Backup services. 3. Apply the patch. 4. Restart services. 5. Verify version is 11.3.0.13 or higher.

🔧 Temporary Workarounds

Network Access Control

linux

Restrict access to NetVault Backup service ports (typically TCP 20031-20034) to trusted IP addresses only.

Use firewall rules to limit access: iptables -A INPUT -p tcp --dport 20031:20034 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 20031:20034 -j DROP

Windows Firewall Rules

windows

Block external access to NetVault Backup ports using Windows Firewall.

New-NetFirewallRule -DisplayName "Block NetVault Ports" -Direction Inbound -LocalPort 20031-20034 -Protocol TCP -Action Block

🧯 If You Can't Patch

Implement strict network segmentation to isolate NetVault Backup servers from untrusted networks
Deploy web application firewall (WAF) with SQL injection protection rules in front of the service

🔍 How to Verify

Check if Vulnerable:

Check if NetVault Backup version is 11.3.0.12. The service typically runs on ports 20031-20034.

Check Version:

On Windows: Check Programs and Features. On Linux: rpm -qa | grep netvault or dpkg -l | grep netvault

Verify Fix Applied:

Verify the installed version is 11.3.0.13 or later through the NetVault Backup administration interface.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed authentication attempts to NetVault Backup
Unexpected process execution from NetVault Backup service account

Network Indicators:

SQL injection patterns in HTTP requests to port 20031-20034
Unusual outbound connections from NetVault Backup server

SIEM Query:

source="netvault.log" AND ("JobList" OR "NVBUBackup") AND (sql OR union OR select)

📊 Metadata

CVE ID: CVE-2017-17656

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: February 8, 2018

Last Updated: November 21, 2024

🔗 References

https://zerodayinitiative.com/advisories/ZDI-17-992 Third Party Advisory,VDB Entry
https://zerodayinitiative.com/advisories/ZDI-17-992 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-17656, you might also want to check these: