Patch for BakBone NetVault Reporter to fix vulnerability
TippingPoint has reported a vulnerability in BakBone NetVault Reporter 3.5 that allows attackers to take control of a system. The NetVault Reporter tool is designed to monitor storage systems in LANs. A heap overflow vulnerability exists in both the scheduler client and the scheduler server that can be triggered with GET and POST requests to TCP ports 7977 or 7978. An attacker only has to supply excess length file names in the respective requests. According to the advisory, this allows attackers to inject code and execute it with system privileges.
The vendor has provided NetVault Report Manager v3.5 Update4 to fix this hole.
- BakBone NetVault Reporter Scheduler Heap Overflow Vulnerability, security advisory by TippingPoint