CVE-2017-17417
published 2018-02-08CVE-2017-17417: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. Authentication is not…
PriorityP272critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
10.00%
95.0th percentile
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of NVBUPhaseStatus Acknowledge method requests. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of the underlying database. Was ZDI-CAN-4228.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| quest | netvault_backup | — | — |
| quest | quest_netvault_backup | — | — |
Detection & IOCsextracted from sources · hover to see the quote
command{"jsonrpc":"2.0","method":"GET","params":{"classname":"NVBUPhaseStatus","updates":"none","where":"1=1*"},"id":1}↗
- →Monitor for unauthenticated HTTP POST requests to the /query endpoint on the NetVault Backup server, particularly JSON-RPC payloads targeting the 'NVBUPhaseStatus' classname with a manipulated 'where' parameter (e.g., containing SQL injection markers like '1=1*'). ↗
- →Detect JSON-RPC requests where the 'classname' field is 'NVBUPhaseStatus' and the 'where' field contains SQL injection payloads — this maps directly to the vulnerable NVBUPhaseStatus Acknowledge method. ↗
- →Alert on Content-Type 'application/json-rpc' combined with X-Requested-With 'XMLHttpRequest' headers in POST requests to /query, as this is the specific request profile used in exploitation. ↗
- →The vulnerability is exploitable without authentication; flag any POST /query requests lacking a valid SessionCookie or with a missing/empty SessionCookie header. ↗
- →The backend database is PostgreSQL; monitor for anomalous PostgreSQL query activity or boolean-based blind SQL injection patterns originating from the NetVault Backup process. ↗
- ·The exploit targets Quest NetVault Backup version 11.3.0.12 specifically; verify the installed version before applying detection rules to avoid false positives on patched or unaffected versions. ↗
- ·The exploit uses --force-ssl (HTTPS), so network-level detection requires SSL/TLS inspection to be enabled on monitoring infrastructure to inspect the JSON-RPC payload. ↗
- ·Code execution occurs in the context of the underlying PostgreSQL database process, not the OS directly; post-exploitation monitoring should focus on database-level command execution (e.g., PostgreSQL COPY TO/FROM PROGRAM or similar RCE primitives). ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2018-02-08
Published