CVE-2017-8895
Description
In Veritas Backup Exec 2014 before build 14.1.1187.1126, 15 before build 14.2.1180.3160, and 16 before FP1, there is a use-after-free vulnerability in multiple agents that can lead to a denial of service or remote code execution. An unauthenticated attacker can use this vulnerability to crash the agent or potentially take control of the agent process and then the system it is running on.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Metasploit modules
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| veritas | backup_exec | {"endExcluding":"14.1.1786.1126"} | 14.1.1786.1126 |
References
- http://www.securityfocus.com/bid/98386
- http://www.securitytracker.com/id/1038561
- https://www.exploit-db.com/exploits/42282/
- https://www.veritas.com/content/support/en_US/security/VTS17-006.html#Issue1
- http://www.securityfocus.com/bid/98386
- http://www.securitytracker.com/id/1038561
- https://www.exploit-db.com/exploits/42282/
- https://www.veritas.com/content/support/en_US/security/VTS17-006.html#Issue1
CWEs
CWE-416
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.