CVE-2018-1161 – This is a critical remote code execution vulner... (How to Fix)

Q: What is the severity of CVE-2018-1161?

CVE-2018-1161 has a CVSS score of 9.8 (CRITICAL). This is a critical remote code execution vulnerability in Quest NetVault Backup that allows unauthenticated attackers to execute arbitrary code with SYSTEM privileges. The vulnerability exists in the nvwsworker.exe component when processing multipart request boundary headers. All systems running vulnerable versions of NetVault Backup are affected.

📋 TL;DR

This is a critical remote code execution vulnerability in Quest NetVault Backup that allows unauthenticated attackers to execute arbitrary code with SYSTEM privileges. The vulnerability exists in the nvwsworker.exe component when processing multipart request boundary headers. All systems running vulnerable versions of NetVault Backup are affected.

💻 Affected Systems

Products:

Quest NetVault Backup

Versions: 11.2.0.13 and likely earlier versions

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: The nvwsworker.exe service runs by default and listens on network ports.

📦 What is this software?

Netvault Backup by Quest

View all CVEs affecting Netvault Backup →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, allowing attackers to install malware, steal data, pivot to other systems, or establish persistent access.

🟠

Likely Case

Remote code execution leading to ransomware deployment, data exfiltration, or installation of backdoors for future attacks.

🟢

If Mitigated

Limited impact if proper network segmentation, firewalls, and intrusion detection systems are in place to block exploitation attempts.

🌐 Internet-Facing: HIGH - Authentication is not required, making internet-facing instances extremely vulnerable to automated attacks.

🏢 Internal Only: HIGH - Even internally, this vulnerability can be exploited by any network-accessible attacker without authentication.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is in a network service and requires no authentication, making exploitation straightforward for attackers with network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.3.0.12 or later

Vendor Advisory: https://support.quest.com/netvault-backup/kb/311640/quest-netvault-backup-security-vulnerabilities-november-2018

Restart Required: Yes

Instructions:

1. Download the latest NetVault Backup version from Quest support portal. 2. Backup current configuration. 3. Stop NetVault Backup services. 4. Install the update. 5. Restart services and verify functionality.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to NetVault Backup servers using firewalls or network ACLs

Service Hardening

windows

Run NetVault Backup services with reduced privileges instead of SYSTEM

sc config "NetVault Backup Service" obj= "NT AUTHORITY\LocalService"

🧯 If You Can't Patch

Implement strict network access controls to limit connections to NetVault Backup servers
Deploy intrusion detection/prevention systems to monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check NetVault Backup version in the administration console or by examining installed programs in Control Panel

Check Version:

wmic product where "name like '%NetVault%'" get version

Verify Fix Applied:

Verify version is 11.3.0.12 or later and test multipart request handling functionality

📡 Detection & Monitoring

Log Indicators:

Unusual process creation from nvwsworker.exe
Multiple failed multipart requests
Unexpected network connections from NetVault Backup server

Network Indicators:

Unusual traffic to NetVault Backup ports (typically 20031-20034)
Malformed multipart requests with long boundary headers

SIEM Query:

source="netvault.log" AND ("buffer overflow" OR "nvwsworker.exe" AND "crash")

📊 Metadata

CVE ID: CVE-2018-1161

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-121

Published: February 8, 2018

Last Updated: November 21, 2024

🔗 References

https://zerodayinitiative.com/advisories/ZDI-18-004 Third Party Advisory,VDB Entry
https://zerodayinitiative.com/advisories/ZDI-18-004 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-1161, you might also want to check these: