Comprehensive data protection for all workloads
Post Reply
Robvil
Expert
Posts: 129
Liked: 13 times
Joined: Oct 03, 2016 12:41 pm
Full Name: Robert
Contact:

TCP port 6160 cross-site scripting

Post by Robvil » Apr 03, 2017 2:15 pm

Hi

We had a internal secure test done, and the report shows that several machines might be afftected by cross-site scripting.

All the machines they lists has Veeam agent installed. They write:
1.2.3.1:6160 (tcp)
1.2.3.2:6160 (tcp)
......

the remote web server is affected by a cross site scripting vulnerability.

Snip from test;
http/1.1 200 ok
content-type text/plain
cache-control: no-cache
Connection:Close
date: .....
Server: .....
Accept ranges: none
Content-length: 349

Note that this XSS attack may only work against web browsers web browsers that have content sniffing enabled.

The only service so far, i can locate, that is using tcp port 6160 is Veeam. I know of cause this port do not serve as a normal webserver - and we should not be affected at all.

But when do Veeam cummunicate with agents on port 6160? I cannot see any connections to this port with netstat -on -p tcp | find "6160", so i suspect it´s only periodicly this port is active.

Robert

nielsengelen
Veeam Software
Posts: 2634
Liked: 540 times
Joined: Jul 15, 2013 11:09 am
Full Name: Niels Engelen
Contact:

Re: TCP port 6160 cross-site scripting

Post by nielsengelen » Apr 03, 2017 2:22 pm

Port 6160 is the default port used by the Veeam installer service. There is no webservice running behind it.
VCP-DCV
Veeam Certified Architect (VMCA)
http://foonet.be

Robvil
Expert
Posts: 129
Liked: 13 times
Joined: Oct 03, 2016 12:41 pm
Full Name: Robert
Contact:

Re: TCP port 6160 cross-site scripting

Post by Robvil » Apr 03, 2017 3:03 pm

Thanks. Then it´s not Veeam .....

dellock6
Veeam Software
Posts: 5732
Liked: 1622 times
Joined: Jul 26, 2009 3:39 pm
Full Name: Luca Dell'Oca
Location: Varese, Italy
Contact:

Re: TCP port 6160 cross-site scripting

Post by dellock6 » Apr 03, 2017 10:45 pm

Be careful it you are using automated tools like Nessus, they are really powerful but sometimes you need to filter their results and apply some common sense: I've seena few times Nessus listing apache vulnerabilities against an IIS webserver, only because the server was not properly identified at first. I would try to isolate the test and see what's looking for.
Luca Dell'Oca
Principal EMEA Cloud Architect @ Veeam Software

@dellock6
https://www.virtualtothecore.com/
vExpert 2011 -> 2019
Veeam VMCE #1

Robvil
Expert
Posts: 129
Liked: 13 times
Joined: Oct 03, 2016 12:41 pm
Full Name: Robert
Contact:

Re: TCP port 6160 cross-site scripting

Post by Robvil » Apr 04, 2017 6:13 am

Yah, i already rulled out a lot of stuff which is not relevant. Many Cisco alerts is not relevant, as Nessus cannot see the configuration.
But regarding the tcp port 6160 - i found something interesting. It looks as it´s a printdriver which is periodicly opening this port up (for whatever reason i don´t know yet), as i can see the PID associated with the port is spoolsv.exe before it goes to PID 0, as the connection is gone very fast again. I think it´s drivers for our label printers.

dellock6
Veeam Software
Posts: 5732
Liked: 1622 times
Joined: Jul 26, 2009 3:39 pm
Full Name: Luca Dell'Oca
Location: Varese, Italy
Contact:

Re: TCP port 6160 cross-site scripting

Post by dellock6 » Apr 10, 2017 4:55 pm

Out of curiosity I googled a bit for spoolsrv.exe and 6160, and seems indeed that it's a tcp port that the spooler service may use, even if I didn't find any more detail. So, probably Nessus has spool service in its database, so it lists this port as belonging to the spooler service. It's interesting nonetheless, as we may have a port conflict with another product...
Luca Dell'Oca
Principal EMEA Cloud Architect @ Veeam Software

@dellock6
https://www.virtualtothecore.com/
vExpert 2011 -> 2019
Veeam VMCE #1

Post Reply

Who is online

Users browsing this forum: AdsBot [Google], anthonyspiteri79, Baidu [Spider], Bing [Bot], teddyJH and 51 guests