CVE-2017-3195
published 2017-12-16CVE-2017-3195: Commvault Edge Communication Service (cvd) prior to version 11 SP7 or version 11 SP6 with hotfix 590 is prone to a stack-based buffer overflow vulnerability…
PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
21.39%
97.3th percentile
Commvault Edge Communication Service (cvd) prior to version 11 SP7 or version 11 SP6 with hotfix 590 is prone to a stack-based buffer overflow vulnerability that could lead to arbitrary code execution with administrative privileges.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| commvault | commvault | <= 11.0 | — |
| commvault | commvault | — | — |
| commvault | edge | — | — |
| commvault | service_pack_6 | — | — |
| commvault | service_pack_6 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
0000003800000010000000100000000f00000000000000000000000000000000000000000000000000000000000000010000000000000000
bytes↗
0000100309000101090000000000ffe80000000800010000
bytes↗
0000100309000509000000090000ffe800000036
bytes↗
53534c634c6e54
- →Monitor for TCP connections to port 8400 (Commvault Edge cvd service) originating from unexpected or external hosts, especially those sending oversized packets matching the three-stage handshake pattern in the PoC. ↗
- →Detect stack-based buffer overflow attempt: look for a payload segment in the third packet (pkt3) beginning with hex 53534c634c6e54 followed by a large block of repeated 0x41 bytes (208+ bytes) on port 8400. ↗
- →The exploit targets the Commvault Edge Communication Service (cvd) process; monitor for abnormal child processes or privilege escalation events spawned by cvd.exe. ↗
- ·The PoC hardcodes a target IP (10.101.0.85); real-world attacks will vary the destination IP. Detection should focus on the packet content and port, not the IP. ↗
- ·Vulnerable versions are Commvault Edge cvd prior to 11 SP7, or 11 SP6 without hotfix 590. Patched installations are not affected. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h4f8-5wh7-64hg: Commvault Edge Communication Service (cvd) prior to version 11 SP7 or version 11 SP6 with hotfix 590 is prone to a stack-based buffer overflow vulnera
ghsa_unreviewed·2022-05-13
CVE-2017-3195 [CRITICAL] CWE-119 GHSA-h4f8-5wh7-64hg: Commvault Edge Communication Service (cvd) prior to version 11 SP7 or version 11 SP6 with hotfix 590 is prone to a stack-based buffer overflow vulnera
Commvault Edge Communication Service (cvd) prior to version 11 SP7 or version 11 SP6 with hotfix 590 is prone to a stack-based buffer overflow vulnerability that could lead to arbitrary code execution with administrative privileges.
GHSA
GHSA-xr74-c8hv-6762: A Command Injection issue was discovered in ContentStore/Base/CVDataPipe
ghsa_unreviewed·2022-05-13·CVSS 9.8
CVE-2017-18044 [CRITICAL] CWE-78 GHSA-xr74-c8hv-6762: A Command Injection issue was discovered in ContentStore/Base/CVDataPipe
A Command Injection issue was discovered in ContentStore/Base/CVDataPipe.dll in Commvault before v11 SP6. A certain message parsing function inside the Commvault service does not properly validate the input of an incoming string before passing it to CreateProcess. As a result, a specially crafted message can inject commands that will be executed on the target operating system. Exploitation of this vulnerability does not require authentication and can lead to SYSTEM level privilege on any system running the cvd daemon. This is a different vulnerability than CVE-2017-3195.
No detection rules found.
No writeups or analysis indexed.
http://kb.commvault.com/article/SEC0013http://redr2e.com/commvault-edge-cve-2017-3195/http://www.securityfocus.com/bid/96941https://www.exploit-db.com/exploits/41823/https://www.kb.cert.org/vuls/id/214283http://kb.commvault.com/article/SEC0013http://redr2e.com/commvault-edge-cve-2017-3195/http://www.securityfocus.com/bid/96941https://www.exploit-db.com/exploits/41823/https://www.kb.cert.org/vuls/id/214283
2017-12-16
Published