Vulnerabilities > CVE-2017-8895 - Use After Free vulnerability in Veritas Backup Exec

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
veritas
CWE-416
critical
nessus
exploit available
metasploit
NVD
Published: 2017-05-10
Updated: 2021-08-12

Summary

In Veritas Backup Exec 2014 before build 14.1.1187.1126, 15 before build 14.2.1180.3160, and 16 before FP1, there is a use-after-free vulnerability in multiple agents that can lead to a denial of service or remote code execution. An unauthenticated attacker can use this vulnerability to crash the agent or potentially take control of the agent process and then the system it is running on.

Vulnerable Configurations

Part Description Count
Application
Veritas
7

Common Weakness Enumeration (CWE)

Exploit-Db

descriptionVeritas/Symantec Backup Exec - SSL NDMP Connection Use-After-Free (Metasploit). CVE-2017-8895. Remote exploit for Windows platform. Tags: Metasploit Framework
fileexploits/windows/remote/42282.rb
idEDB-ID:42282
last seen2017-06-29
modified2017-06-29
platformwindows
port10000
published2017-06-29
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/42282/
titleVeritas/Symantec Backup Exec - SSL NDMP Connection Use-After-Free (Metasploit)
typeremote

Metasploit

descriptionThis module exploits a use-after-free vulnerability in the handling of SSL NDMP connections in Veritas/Symantec Backup Exec's Remote Agent for Windows. When SSL is re-established on a NDMP connection that previously has had SSL established, the BIO struct for the connection's previous SSL session is reused, even though it has previously been freed. This module supports 3 specific versions of the Backup Exec agent in the 14, 15 and 16 series on 64-bit and 32-bit versions of Windows and has been tested from Vista to Windows 10. The check command can help narrow down what major and minor revision is installed and the precise of version of Windows, but some other information may be required to make a reliable choice of target. NX, ASLR and Windows 8+ anti-ROP mitigations are bypassed. On Windows 8+, it has a reliability of around 85%. On other versions of Windows, reliability is around 35% (due to the need to win a race condition across the network in this case; this may drop further depending on network conditions). The agent is normally installed on all hosts in a domain that need to be backed up, so if one service crashes, try again on another :) Successful exploitation will give remote code execution as the user of the Backup Exec Remote Agent for Windows service, almost always NT AUTHORITY\SYSTEM.
idMSF:EXPLOIT/WINDOWS/BACKUPEXEC/SSL_UAF
last seen2020-06-13
modified2017-07-24
published2017-05-23
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/backupexec/ssl_uaf.rb
titleVeritas/Symantec Backup Exec SSL NDMP Connection Use-After-Free

Nessus

NASL familyWindows
NASL idVERITAS_BACKUP_EXEC_REMOTE_AGENT_VTS17-006.NASL
descriptionThe version of Vertias Backup Exec Remote Agent installed on the remote Windows host is 14.1.x prior to 14.1.1786.1126, 14.2.x prior to 14.2.1180.3160, or 16.0.x prior to 16.0.1142.1327. It is, therefore, affected by a remote code execution vulnerability due to a use-after-free error that is triggered when creating SSL/TLS wrapped NDMP sessions. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code with SYSTEM level privileges.
last seen2020-06-01
modified2020-06-02
plugin id101294
published2017-07-07
reporterThis script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/101294
titleVeritas Backup Exec Remote Agent 14.1.x < 14.1.1786.1126 / 14.2.x < 14.2.1180.3160 / 16.0.x < 16.0.1142.1327 Use-after-free RCE (VTS17-006)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(101294);
  script_version("1.5");
  script_cvs_date("Date: 2018/11/15 20:50:29");

  script_cve_id("CVE-2017-8895");
  script_bugtraq_id(98386);
  script_xref(name:"EDB-ID", value:"42282");
  script_xref(name:"IAVA", value:"2017-A-0197");

  script_name(english:"Veritas Backup Exec Remote Agent 14.1.x < 14.1.1786.1126 / 14.2.x < 14.2.1180.3160 / 16.0.x < 16.0.1142.1327 Use-after-free RCE (VTS17-006)");
  script_summary(english:"Checks the version of Veritas Backup Exec Remote Agent.");

  script_set_attribute(attribute:"synopsis", value:
"A remote data protection agent installed on the remote host is
affected by a remote code execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of Vertias Backup Exec Remote Agent installed on the
remote Windows host is 14.1.x prior to 14.1.1786.1126, 14.2.x prior to
14.2.1180.3160, or 16.0.x prior to 16.0.1142.1327. It is, therefore,
affected by a remote code execution vulnerability due to a
use-after-free error that is triggered when creating SSL/TLS wrapped
NDMP sessions. An unauthenticated, remote attacker can exploit this to
cause a denial of service condition or the execution of arbitrary code
with SYSTEM level privileges.");
  script_set_attribute(attribute:"see_also", value:"https://www.veritas.com/content/support/en_US/security/VTS17-006.html");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2017/May/93");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Veritas Backup Exec Remote Agent version 14.1.1786.1126 /
14.2.1180.3160 / 16.0.1142.1327, or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Veritas/Symantec Backup Exec SSL NDMP Connection Use-After-Free');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/05/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/07");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:veritas:backup_exec_remote_agent");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.");

  script_dependencies("veritas_backup_exec_remote_agent_installed.nbin");
  script_require_keys("installed_sw/Veritas Backup Exec Remote Agent", "SMB/Registry/Enumerated");
  script_require_ports(139, 445);

  exit(0);
}

include("vcf.inc");

get_kb_item_or_exit("SMB/Registry/Enumerated");

app_info = vcf::get_app_info(app:"Veritas Backup Exec Remote Agent", win_local:TRUE);

constraints = [
  { "min_version" : "14.1", "fixed_version" : "14.1.1786.1126" },
  { "min_version" : "14.2", "fixed_version" : "14.2.1180.3160" },
  { "min_version" : "16.0", "fixed_version" : "16.0.1142.1327" }
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/143192/ssl_uaf.rb.txt
idPACKETSTORM:143192
last seen2017-06-29
published2017-06-29
reporterMatthew Daley
sourcehttps://packetstormsecurity.com/files/143192/Veritas-Symantec-Backup-Exec-SSL-NDMP-Connection-Use-After-Free.html
titleVeritas/Symantec Backup Exec SSL NDMP Connection Use-After-Free

References