search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Commvault Edge contains a buffer overflow vulnerability

Vulnerability Note VU#214283

Original Release Date: 2017-03-16 | Last Revised: 2017-03-16

Overview

Commvault Edge, version 11 SP6 (11.80.50.0), is vulnerable to a stack-based buffer overflow vulnerability.

Description

CWE-121: Stack-based Buffer Overflow - CVE-2017-3195

A stack based buffer overflow in the Commvault Edge Communication Service (cvd) allows remote attackers to execute arbitrary code via crafted packets, exploiting weaknesses in the key exchange mechanism. Access to TCP port 8400 (by default) on the target machine is necessary to exploit this vulnerability.

Impact

An unauthenticated remote attacker can execute arbitrary code with root/SYSTEM privileges.

Solution

Apply an update
Commvault has provided fixes in the latest service pack (SP7 and above) to address the vulnerability. SP6 customers can use hotfix 590.

Vendor Information

214283
Expand all

Commvault

Notified:  January 24, 2017 Updated:  March 16, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://kb.commvault.com/article/SEC0013

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 7.8 E:POC/RL:OF/RC:C
Environmental 2 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Claudio Moletta for reporting this vulnerability.

This document was written by Trent Novelly.

Other Information

CVE IDs: CVE-2017-3195
Date Public: 2017-03-15
Date First Published: 2017-03-16
Date Last Updated: 2017-03-16 13:26 UTC
Document Revision: 8

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.