Vulnerabilities > CVE-2017-8895 - Use After Free vulnerability in Veritas Backup Exec
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
In Veritas Backup Exec 2014 before build 14.1.1187.1126, 15 before build 14.2.1180.3160, and 16 before FP1, there is a use-after-free vulnerability in multiple agents that can lead to a denial of service or remote code execution. An unauthenticated attacker can use this vulnerability to crash the agent or potentially take control of the agent process and then the system it is running on.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 7 |
Common Weakness Enumeration (CWE)
Exploit-Db
description | Veritas/Symantec Backup Exec - SSL NDMP Connection Use-After-Free (Metasploit). CVE-2017-8895. Remote exploit for Windows platform. Tags: Metasploit Framework |
file | exploits/windows/remote/42282.rb |
id | EDB-ID:42282 |
last seen | 2017-06-29 |
modified | 2017-06-29 |
platform | windows |
port | 10000 |
published | 2017-06-29 |
reporter | Exploit-DB |
source | https://www.exploit-db.com/download/42282/ |
title | Veritas/Symantec Backup Exec - SSL NDMP Connection Use-After-Free (Metasploit) |
type | remote |
Metasploit
description | This module exploits a use-after-free vulnerability in the handling of SSL NDMP connections in Veritas/Symantec Backup Exec's Remote Agent for Windows. When SSL is re-established on a NDMP connection that previously has had SSL established, the BIO struct for the connection's previous SSL session is reused, even though it has previously been freed. This module supports 3 specific versions of the Backup Exec agent in the 14, 15 and 16 series on 64-bit and 32-bit versions of Windows and has been tested from Vista to Windows 10. The check command can help narrow down what major and minor revision is installed and the precise of version of Windows, but some other information may be required to make a reliable choice of target. NX, ASLR and Windows 8+ anti-ROP mitigations are bypassed. On Windows 8+, it has a reliability of around 85%. On other versions of Windows, reliability is around 35% (due to the need to win a race condition across the network in this case; this may drop further depending on network conditions). The agent is normally installed on all hosts in a domain that need to be backed up, so if one service crashes, try again on another :) Successful exploitation will give remote code execution as the user of the Backup Exec Remote Agent for Windows service, almost always NT AUTHORITY\SYSTEM. |
id | MSF:EXPLOIT/WINDOWS/BACKUPEXEC/SSL_UAF |
last seen | 2020-06-13 |
modified | 2017-07-24 |
published | 2017-05-23 |
references | |
reporter | Rapid7 |
source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/backupexec/ssl_uaf.rb |
title | Veritas/Symantec Backup Exec SSL NDMP Connection Use-After-Free |
Nessus
NASL family | Windows |
NASL id | VERITAS_BACKUP_EXEC_REMOTE_AGENT_VTS17-006.NASL |
description | The version of Vertias Backup Exec Remote Agent installed on the remote Windows host is 14.1.x prior to 14.1.1786.1126, 14.2.x prior to 14.2.1180.3160, or 16.0.x prior to 16.0.1142.1327. It is, therefore, affected by a remote code execution vulnerability due to a use-after-free error that is triggered when creating SSL/TLS wrapped NDMP sessions. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code with SYSTEM level privileges. |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 101294 |
published | 2017-07-07 |
reporter | This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. |
source | https://www.tenable.com/plugins/nessus/101294 |
title | Veritas Backup Exec Remote Agent 14.1.x < 14.1.1786.1126 / 14.2.x < 14.2.1180.3160 / 16.0.x < 16.0.1142.1327 Use-after-free RCE (VTS17-006) |
code |
|
Packetstorm
data source | https://packetstormsecurity.com/files/download/143192/ssl_uaf.rb.txt |
id | PACKETSTORM:143192 |
last seen | 2017-06-29 |
published | 2017-06-29 |
reporter | Matthew Daley |
source | https://packetstormsecurity.com/files/143192/Veritas-Symantec-Backup-Exec-SSL-NDMP-Connection-Use-After-Free.html |
title | Veritas/Symantec Backup Exec SSL NDMP Connection Use-After-Free |
References
- http://www.securityfocus.com/bid/98386
- http://www.securityfocus.com/bid/98386
- http://www.securitytracker.com/id/1038561
- http://www.securitytracker.com/id/1038561
- https://www.exploit-db.com/exploits/42282/
- https://www.exploit-db.com/exploits/42282/
- https://www.veritas.com/content/support/en_US/security/VTS17-006.html#Issue1
- https://www.veritas.com/content/support/en_US/security/VTS17-006.html#Issue1