10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.01 Low
EPSS
Percentile
83.5%
According to its self-reported version, the remote Veritas NetBackup Appliance is 2.6.0.x equal or prior to 2.6.0.4, 2.6.1.x equal or prior to 2.6.1.2, or 2.7.x equal or prior to 2.7.3. It is, therefore, affected by an unspecified flaw that allows an unauthenticated, remote attacker to execute arbitrary commands with root privileges.
Note that Nessus did not check to see if an available hotfix was applied.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(94671);
script_version("1.5");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2016-7399");
script_name(english:"Veritas NetBackup Appliance 2.6.0.x / 2.6.1.x / 2.7.x RCE (VTS16-002)");
script_set_attribute(attribute:"synopsis", value:
"The remote backup management appliance is affected by a remote
command execution vulnerability.");
script_set_attribute(attribute:"description", value:
"According to its self-reported version, the remote Veritas NetBackup
Appliance is 2.6.0.x equal or prior to 2.6.0.4, 2.6.1.x equal or prior
to 2.6.1.2, or 2.7.x equal or prior to 2.7.3. It is, therefore,
affected by an unspecified flaw that allows an unauthenticated, remote
attacker to execute arbitrary commands with root privileges.
Note that Nessus did not check to see if an available hotfix was
applied.");
script_set_attribute(attribute:"see_also", value:"https://www.veritas.com/content/support/en_US/security/VTS16-002.html");
script_set_attribute(attribute:"solution", value:
"Upgrade to Veritas NetBackup Appliance version 2.6.0.4, 2.6.1.2, or
2.7.3, and then apply the relevant hotfix as referenced in the vendor
advisory.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2016/10/04");
script_set_attribute(attribute:"patch_publication_date", value:"2016/10/04");
script_set_attribute(attribute:"plugin_publication_date", value:"2016/11/10");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:veritas:netbackup_appliance");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2016-2022 Tenable Network Security, Inc.");
script_dependencies("veritas_netbackup_appliance_web_console_detect.nbin");
script_require_keys("installed_sw/NetBackup Appliance");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");
app = "NetBackup Appliance";
install = get_single_install(
app_name : app,
combined : TRUE,
exit_if_unknown_ver : TRUE
);
port = install["port"];
path = install["path"];
version = install["version"];
display_version = install["display_version"];
# Require 3 version parts for 2.7.x and 4 parts for 2.6.0.x
if (version =~ '^2(\\.[67]|\\.6\\.0)?$')
audit(AUDIT_VER_NOT_GRANULAR, app, port, display_version);
if (version =~ '^2\\.6\\.1$' && report_paranoia < 2)
audit(AUDIT_VER_NOT_GRANULAR, app, port, display_version);
vers = make_array();
vers['2.7']['fix'] = '2.7.3';
vers['2.7']['minver'] = '2.7.0';
vers['2.7']['hotfix'] = 'ET3900678';
vers['2.6.1']['fix'] = '2.6.1.2';
vers['2.6.1']['minver'] = '2.6.1.0';
vers['2.6.1']['hotfix'] = 'ET3900680';
vers['2.6.0']['fix'] = '2.6.0.4';
vers['2.6.0']['minver'] = '2.6.0.1';
vers['2.6.0']['hotfix'] = 'ET3900681';
caveat = '';
fixed_ver = '';
foreach ver(vers)
{
ret = ver_compare(ver:version, fix:ver['fix'], minver:ver['minver']);
if(!isnull(ret) && ret <= 0)
{
# If the version matches the fixed version, we don't know whether or not the hotfix
# has been applied, so exit unless report paranoia is Paranoid
if(ret == 0)
{
if(report_paranoia < 2)
audit(AUDIT_PARANOID);
caveat =
'\n Note that Nessus did not check to see if the hotfix has' +
'\n been applied.\n';
}
# If the version is below the fixed version, we know the hotfix hasn't been applied
# because it requires upgrade to the latest version as a prerequisite
fixed_ver = ver['fix'] + ' hotfix ' + ver['hotfix'];
break;
}
}
if(empty_or_null(fixed_ver))
audit(AUDIT_INST_PATH_NOT_VULN, app, display_version, path);
install_url = build_url(port:port, qs:path);
items = make_array(
"Path", install_url,
"Installed version", display_version,
"Fixed version", fixed_ver
);
order = make_list("Path","Installed version","Fixed version");
report = report_items_str(report_items:items, ordered_fields:order) + caveat;
security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);
Vendor | Product | Version | CPE |
---|---|---|---|
veritas | netbackup_appliance | cpe:/a:veritas:netbackup_appliance |
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.01 Low
EPSS
Percentile
83.5%