search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Commvault Edge contains a buffer overflow vulnerability

Vulnerability Note VU#214283

Original Release Date: 2017-03-16 | Last Revised: 2017-03-16

Overview

Commvault Edge, version 11 SP6 (11.80.50.0), is vulnerable to a stack-based buffer overflow vulnerability.

Description

CWE-121: Stack-based Buffer Overflow - CVE-2017-3195

A stack based buffer overflow in the Commvault Edge Communication Service (cvd) allows remote attackers to execute arbitrary code via crafted packets, exploiting weaknesses in the key exchange mechanism. Access to TCP port 8400 (by default) on the target machine is necessary to exploit this vulnerability.

Impact

An unauthenticated remote attacker can execute arbitrary code with root/SYSTEM privileges.

Solution

Apply an update
Commvault has provided fixes in the latest service pack (SP7 and above) to address the vulnerability. SP6 customers can use hotfix 590.

Vendor Information

214283
 
Expand all

Commvault Affected

Notified:  January 24, 2017 Updated: March 16, 2017

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References


CVSS Metrics

Group Score Vector
Base 10 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 7.8 E:POC/RL:OF/RC:C
Environmental 2.0 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Claudio Moletta for reporting this vulnerability.

This document was written by Trent Novelly.

Other Information

CVE IDs: CVE-2017-3195
Date Public: 2017-03-15
Date First Published: 2017-03-16
Date Last Updated: 2017-03-16 13:26 UTC
Document Revision: 10

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis