TCP port 6160 cross-site scripting

Availability for the Always-On Enterprise

TCP port 6160 cross-site scripting

Veeam Logoby Robvil » Mon Apr 03, 2017 2:15 pm

Hi

We had a internal secure test done, and the report shows that several machines might be afftected by cross-site scripting.

All the machines they lists has Veeam agent installed. They write:
1.2.3.1:6160 (tcp)
1.2.3.2:6160 (tcp)
......

the remote web server is affected by a cross site scripting vulnerability.

Snip from test;
http/1.1 200 ok
content-type text/plain
cache-control: no-cache
Connection:Close
date: .....
Server: .....
Accept ranges: none
Content-length: 349

Note that this XSS attack may only work against web browsers web browsers that have content sniffing enabled.

The only service so far, i can locate, that is using tcp port 6160 is Veeam. I know of cause this port do not serve as a normal webserver - and we should not be affected at all.

But when do Veeam cummunicate with agents on port 6160? I cannot see any connections to this port with netstat -on -p tcp | find "6160", so i suspect it´s only periodicly this port is active.

Robert
Robvil
Enthusiast
 
Posts: 41
Liked: 1 time
Joined: Mon Oct 03, 2016 12:41 pm
Full Name: Robert

Re: TCP port 6160 cross-site scripting

Veeam Logoby vmniels » Mon Apr 03, 2017 2:22 pm

Port 6160 is the default port used by the Veeam installer service. There is no webservice running behind it.
VCP-DCV
Veeam Certified Engineer
http://foonet.be
vmniels
Veeam Software
 
Posts: 1385
Liked: 311 times
Joined: Mon Jul 15, 2013 11:09 am
Full Name: Niels Engelen

Re: TCP port 6160 cross-site scripting

Veeam Logoby Robvil » Mon Apr 03, 2017 3:03 pm

Thanks. Then it´s not Veeam .....
Robvil
Enthusiast
 
Posts: 41
Liked: 1 time
Joined: Mon Oct 03, 2016 12:41 pm
Full Name: Robert

Re: TCP port 6160 cross-site scripting

Veeam Logoby dellock6 » Mon Apr 03, 2017 10:45 pm

Be careful it you are using automated tools like Nessus, they are really powerful but sometimes you need to filter their results and apply some common sense: I've seena few times Nessus listing apache vulnerabilities against an IIS webserver, only because the server was not properly identified at first. I would try to isolate the test and see what's looking for.
Luca Dell'Oca
EMEA Cloud Architect @ Veeam Software

@dellock6
http://www.virtualtothecore.com
vExpert 2011-2012-2013-2014-2015-2016
Veeam VMCE #1
dellock6
Veeam Software
 
Posts: 4876
Liked: 1280 times
Joined: Sun Jul 26, 2009 3:39 pm
Location: Varese, Italy
Full Name: Luca Dell'Oca

Re: TCP port 6160 cross-site scripting

Veeam Logoby Robvil » Tue Apr 04, 2017 6:13 am

Yah, i already rulled out a lot of stuff which is not relevant. Many Cisco alerts is not relevant, as Nessus cannot see the configuration.
But regarding the tcp port 6160 - i found something interesting. It looks as it´s a printdriver which is periodicly opening this port up (for whatever reason i don´t know yet), as i can see the PID associated with the port is spoolsv.exe before it goes to PID 0, as the connection is gone very fast again. I think it´s drivers for our label printers.
Robvil
Enthusiast
 
Posts: 41
Liked: 1 time
Joined: Mon Oct 03, 2016 12:41 pm
Full Name: Robert

Re: TCP port 6160 cross-site scripting

Veeam Logoby dellock6 » Mon Apr 10, 2017 4:55 pm

Out of curiosity I googled a bit for spoolsrv.exe and 6160, and seems indeed that it's a tcp port that the spooler service may use, even if I didn't find any more detail. So, probably Nessus has spool service in its database, so it lists this port as belonging to the spooler service. It's interesting nonetheless, as we may have a port conflict with another product...
Luca Dell'Oca
EMEA Cloud Architect @ Veeam Software

@dellock6
http://www.virtualtothecore.com
vExpert 2011-2012-2013-2014-2015-2016
Veeam VMCE #1
dellock6
Veeam Software
 
Posts: 4876
Liked: 1280 times
Joined: Sun Jul 26, 2009 3:39 pm
Location: Varese, Italy
Full Name: Luca Dell'Oca


Return to Veeam Backup & Replication



Who is online

Users browsing this forum: Bing [Bot], EIvanov and 17 guests