Comprehensive data protection for all workloads
Post Reply
Robvil
Expert
Posts: 172
Liked: 20 times
Joined: Oct 03, 2016 12:41 pm
Full Name: Robert
Contact:

TCP port 6160 cross-site scripting

Post by Robvil »

Hi

We had a internal secure test done, and the report shows that several machines might be afftected by cross-site scripting.

All the machines they lists has Veeam agent installed. They write:
1.2.3.1:6160 (tcp)
1.2.3.2:6160 (tcp)
......

the remote web server is affected by a cross site scripting vulnerability.

Snip from test;
http/1.1 200 ok
content-type text/plain
cache-control: no-cache
Connection:Close
date: .....
Server: .....
Accept ranges: none
Content-length: 349

Note that this XSS attack may only work against web browsers web browsers that have content sniffing enabled.

The only service so far, i can locate, that is using tcp port 6160 is Veeam. I know of cause this port do not serve as a normal webserver - and we should not be affected at all.

But when do Veeam cummunicate with agents on port 6160? I cannot see any connections to this port with netstat -on -p tcp | find "6160", so i suspect it´s only periodicly this port is active.

Robert
nielsengelen
Product Manager
Posts: 5619
Liked: 1177 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: TCP port 6160 cross-site scripting

Post by nielsengelen »

Port 6160 is the default port used by the Veeam installer service. There is no webservice running behind it.
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
Robvil
Expert
Posts: 172
Liked: 20 times
Joined: Oct 03, 2016 12:41 pm
Full Name: Robert
Contact:

Re: TCP port 6160 cross-site scripting

Post by Robvil »

Thanks. Then it´s not Veeam .....
dellock6
Veeam Software
Posts: 6137
Liked: 1928 times
Joined: Jul 26, 2009 3:39 pm
Full Name: Luca Dell'Oca
Location: Varese, Italy
Contact:

Re: TCP port 6160 cross-site scripting

Post by dellock6 »

Be careful it you are using automated tools like Nessus, they are really powerful but sometimes you need to filter their results and apply some common sense: I've seena few times Nessus listing apache vulnerabilities against an IIS webserver, only because the server was not properly identified at first. I would try to isolate the test and see what's looking for.
Luca Dell'Oca
Principal EMEA Cloud Architect @ Veeam Software

@dellock6
https://www.virtualtothecore.com/
vExpert 2011 -> 2022
Veeam VMCE #1
Robvil
Expert
Posts: 172
Liked: 20 times
Joined: Oct 03, 2016 12:41 pm
Full Name: Robert
Contact:

Re: TCP port 6160 cross-site scripting

Post by Robvil »

Yah, i already rulled out a lot of stuff which is not relevant. Many Cisco alerts is not relevant, as Nessus cannot see the configuration.
But regarding the tcp port 6160 - i found something interesting. It looks as it´s a printdriver which is periodicly opening this port up (for whatever reason i don´t know yet), as i can see the PID associated with the port is spoolsv.exe before it goes to PID 0, as the connection is gone very fast again. I think it´s drivers for our label printers.
dellock6
Veeam Software
Posts: 6137
Liked: 1928 times
Joined: Jul 26, 2009 3:39 pm
Full Name: Luca Dell'Oca
Location: Varese, Italy
Contact:

Re: TCP port 6160 cross-site scripting

Post by dellock6 »

Out of curiosity I googled a bit for spoolsrv.exe and 6160, and seems indeed that it's a tcp port that the spooler service may use, even if I didn't find any more detail. So, probably Nessus has spool service in its database, so it lists this port as belonging to the spooler service. It's interesting nonetheless, as we may have a port conflict with another product...
Luca Dell'Oca
Principal EMEA Cloud Architect @ Veeam Software

@dellock6
https://www.virtualtothecore.com/
vExpert 2011 -> 2022
Veeam VMCE #1
imscubasteve
Lurker
Posts: 1
Liked: never
Joined: Mar 10, 2020 2:51 pm
Full Name: Bryan Walls
Contact:

Re: TCP port 6160 cross-site scripting

Post by imscubasteve »

Did you ever figure out what was causing the alert? I am getting the same alert from Nessus on my my label printing servers so I suspect that it was something to do with the drivers, but trying to pinpoint it
Robvil
Expert
Posts: 172
Liked: 20 times
Joined: Oct 03, 2016 12:41 pm
Full Name: Robert
Contact:

Re: TCP port 6160 cross-site scripting

Post by Robvil »

Well, never came closer than it´s related to the label printer drivers and we ignore this.

/Robert
wishr
Veteran
Posts: 3077
Liked: 453 times
Joined: Aug 07, 2018 3:11 pm
Full Name: Fedor Maslov
Contact:

Re: TCP port 6160 cross-site scripting

Post by wishr »

Hello gentlemen,

Vulnerability scanners operate patterns for discovering vulnerabilities, for example, in the case with web vulnerabilities and misconfigurations usually an HTTP request is sent and then the response from the target host is matched with a pattern defined in the vulnerability detection check. This approach does not guarantee 100% accuracy and sometimes might cause false-positives and false-negatives in the results. This is not something uncommon and usually, in such cases, it's recommended to involve both the security software vendor and the vendor in whose product the issue has been found to get it sorted (obviously this will not be a quick solution).

An XSS vulnerability implies there is a web-service running on the affected host:port. Based on my personal experience printer drivers/software frequently gets "forgotten" and does not get proper updates including security ones, so I will not be surprised if this is the case. An interesting thing here is what this web service is supposed to do if it's a part of the printer driver...

As a workaround, you may use an IPS system to mitigate this risk if a real remediation is not possible, just make sure it does not break the printer driver operations :) Or simply ignore it if it's proven to be a false-positive.

Thanks
Post Reply

Who is online

Users browsing this forum: BackItUp2020, ybarrap2003 and 291 guests