cbcvebase.
CVE-2017-8895
published 2017-05-10

CVE-2017-8895: In Veritas Backup Exec 2014 before build 14.1.1187.1126, 15 before build 14.2.1180.3160, and 16 before FP1, there is a use-after-free vulnerability in multiple…

PriorityP279critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
71.00%
99.3th percentile
In Veritas Backup Exec 2014 before build 14.1.1187.1126, 15 before build 14.2.1180.3160, and 16 before FP1, there is a use-after-free vulnerability in multiple agents that can lead to a denial of service or remote code execution. An unauthenticated attacker can use this vulnerability to crash the agent or potentially take control of the agent process and then the system it is running on.

Affected

3 ranges
VendorProductVersion rangeFixed in
veritasbackup_exec< 14.1.1786.112614.1.1786.1126
veritasbackup_exec< 14.2.1180.316014.2.1180.3160
veritasbackup_exec< 16.0.1142.132716.0.1142.1327

Detection & IOCsextracted from sources · hover to see the quote

port10000
commandSSL NDMP re-establishment trigger: re-establish SSL on an existing NDMP connection to reuse freed BIO struct
otherbecrypto.dll base address (non-ASLR) x64: 0x0be00000
otherbecrypto.dll base address (non-ASLR) x86: 0x63100000
otherROP stack pivot gadget x64 BE14: lea rsp, qword ptr [rbp + 0x10]; pop rbp; ret @ 0xbe5ecf2
otherROP stack pivot gadget x86 BE14: mov esp, ebp; pop ebp; ret @ 0x631017fd
processBackup Exec Remote Agent for Windows (NT AUTHORITY\SYSTEM)
  • Monitor for repeated SSL/TLS negotiation attempts on TCP port 10000 (NDMP) from unauthenticated sources — the exploit re-establishes SSL on an existing NDMP connection to trigger the UAF.
  • Detect heap-spray activity on TCP/10000: the exploit opens a large number of sockets to spray stage 1 and TLS extensions before triggering the vulnerability.
  • Alert on Backup Exec Remote Agent process crashes or unexpected restarts on TCP/10000 — the exploit may crash the agent during failed attempts and retry on other hosts.
  • Flag memory at the non-ASLR becrypto.dll base addresses (0x0be00000 on x64, 0x63100000 on x86) being used as ROP/pivot anchors in process memory of the Backup Exec agent.
  • ·Exploit reliability is platform-dependent: ~85% on Windows 8+ and only ~35% on older Windows versions due to a network race condition, which may drop further with poor network conditions.
  • ·The Metasploit module targets only specific builds: BE 14 before 14.1.1187.1126, BE 15 before 14.2.1180.3160, and BE 16 before FP1; the check command can help identify the exact revision installed.
  • ·NX, ASLR, and Windows 8+ anti-ROP mitigations are bypassed by the exploit using becrypto.dll's non-ASLR base address as a ROP anchor; patching or enabling ASLR for becrypto.dll would break the exploit chain.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.