cbcvebase.
CVE-2017-12478
published 2017-08-07

CVE-2017-12478: It was discovered that the api/storage web interface in Unitrends Backup (UB) before 10.0.0 has an issue in which one of its input parameters was not…

PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
78.27%
99.5th percentile
It was discovered that the api/storage web interface in Unitrends Backup (UB) before 10.0.0 has an issue in which one of its input parameters was not validated. A remote attacker could use this flaw to bypass authentication and execute arbitrary commands with root privilege on the target system.

Affected

1 ranges
VendorProductVersion rangeFixed in
kaseyaunitrends_backup< 10.010.0

Detection & IOCsextracted from sources · hover to see the quote

url/api/storage
url/api/storage/
url/api/systems/details
otherv0:b' UNION SELECT -1 -- :1:/usr/bp/logs.dir/gui_root.log:0
path/usr/bp/logs.dir/gui_root.log
  • Detect SQLi authentication bypass by inspecting the AuthToken HTTP header for the pattern 'UNION SELECT -1' or the base64-encoded equivalent of the known bypass string.
  • Alert on HTTP POST requests to /api/storage or /api/hosts containing backtick characters (`) in JSON body fields such as 'hostname' or 'share_name', indicating command injection attempts.
  • Monitor for HTTP GET requests to /api/systems/details with an AuthToken header containing a base64-encoded SQLi string as a pre-exploitation check/fingerprint step.
  • Flag HTTP 500 responses from /api/storage following a POST with a crafted AuthToken, as the exploit expects a 500 response upon successful command injection.
  • Detect use of the X-Requested-With: XMLHttpRequest header combined with a crafted AuthToken on POST requests to /api/storage as an indicator of exploit tooling.
  • ·CVE-2017-12478 affects UEB v9 (api/storage, runs as root); a related but distinct vulnerability CVE-2018-6328 affects UEB v10 (api/hosts, runs as limited user). The Metasploit module covers both.
  • ·The exploit was tested specifically against appliance version 9.1.0-2.201611302120.CentOS6; detection rules should account for CentOS6-based deployments.
  • ·The exploit communicates exclusively over HTTPS (port 443) with SSL enabled by default; network detection must inspect TLS traffic or rely on endpoint/log-based detection.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.