CVE-2018-1163
📋 TL;DR
CVE-2018-1163 is an authentication bypass vulnerability in Quest NetVault Backup that allows remote attackers to bypass authentication by manipulating the checksession parameter in JSON RPC requests. This affects organizations running vulnerable versions of NetVault Backup, potentially allowing attackers to execute arbitrary code with SYSTEM privileges.
💻 Affected Systems
- Quest NetVault Backup
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote unauthenticated attacker gains SYSTEM-level code execution, leading to complete system compromise, data theft, ransomware deployment, or lateral movement across the network.
Likely Case
Attackers bypass authentication to access backup data, modify backup configurations, or use this vulnerability as part of a chain to achieve code execution.
If Mitigated
With proper network segmentation and access controls, impact is limited to the backup server itself without lateral movement capabilities.
🎯 Exploit Status
ZDI published details and proof-of-concept. The vulnerability can be exploited without authentication and requires minimal technical skill.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.3.0.12 or later
Vendor Advisory: https://support.quest.com/netvault-backup/kb/293038/netvault-backup-security-vulnerability-notification
Restart Required: Yes
Instructions:
1. Download the latest NetVault Backup version from Quest support portal. 2. Backup current configuration. 3. Install the update following vendor instructions. 4. Restart the NetVault Backup service.
🔧 Temporary Workarounds
Network Access Restriction
windowsRestrict network access to NetVault Backup management interface to trusted IP addresses only
Use Windows Firewall: netsh advfirewall firewall add rule name="Block NetVault" dir=in action=block protocol=TCP localport=20031 remoteip=any
Use local firewall to restrict port 20031/TCP
JSON RPC Service Disable
windowsDisable the vulnerable JSON RPC service if not required
sc stop "NetVault Backup Service"
sc config "NetVault Backup Service" start= disabled
🧯 If You Can't Patch
- Implement strict network segmentation: Isolate NetVault Backup servers from internet and restrict internal access to backup administrators only.
- Enable detailed logging and monitoring for authentication bypass attempts and unusual JSON RPC requests.
🔍 How to Verify
Check if Vulnerable:
Check NetVault Backup version: If version is 11.2.0.13 or earlier, the system is vulnerable. Test by attempting to access JSON RPC endpoints without valid authentication.Check Version:
In NetVault Backup Web Interface: Navigate to Help → About, or check installed programs in Windows Control PanelVerify Fix Applied:
Verify NetVault Backup version is 11.3.0.12 or later. Test authentication bypass attempts should fail after patch installation.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts followed by successful JSON RPC requests
- Unusual checksession parameter values in JSON RPC logs
- Authentication bypass events in NetVault audit logs
Network Indicators:
- Unusual JSON RPC requests to port 20031/TCP from unauthorized sources
- Authentication bypass patterns in HTTP traffic to NetVault management interface
SIEM Query:
source="netvault.log" AND ("checksession" OR "JSON RPC") AND ("authentication bypass" OR "invalid session")