Revision History
- 1.0: November 16, 2021: Initial version
- 2.0: December 09, 2021: CVE ID added
- 3.0: July 20, 2022: Acknowledgement section updated
Summary
Veritas has discovered an issue where Veritas Enterprise Vault could allow Remote Code Execution on a vulnerable Enterprise Vault Server.
Issue | Description | Severity | Identifier | CVE ID |
---|---|---|---|---|
1 |
Deserialization of Untrusted Data Remote Code Execution Vulnerability |
Critical |
ZDI-CAN-14074 |
|
2 |
Deserialization of Untrusted Data Remote Code Execution Vulnerability |
Critical |
ZDI-CAN-14075 |
|
3 |
Deserialization of Untrusted Data Remote Code Execution Vulnerability |
Critical |
ZDI-CAN-14076 |
|
4 |
Deserialization of Untrusted Data Remote Code Execution Vulnerability |
Critical |
ZDI-CAN-14078 |
|
5 |
Deserialization of Untrusted Data Remote Code Execution Vulnerability |
Critical |
ZDI-CAN-14079 |
|
6 |
Deserialization of Untrusted Data Remote Code Execution Vulnerability |
Critical |
ZDI-CAN-14080 |
Issue
- CVE ID: See above
- Severity: Critical
- CVSS v3.1 Base Score 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for possible commands from client applications. These TCP ports can be exploited due to vulnerabilities that are inherent to the .NET Remoting service. A malicious attacker can exploit both TCP remoting services and local IPC services on the Enterprise Vault Server.
This vulnerability affects Enterprise Vault server if and only if all the following pre-requisites are fulfilled:
- The malicious attacker has RDP access to one of the VMs in the network. In order to have RDP access the attacker needs to be part of the Remote Desktop Users group.
- The malicious attacker knows the IP address of the EV server, the EV process IDs (random), EV TCP dynamic ports (random), EV remoteable object URIs.
- The firewall on the EV server is not properly configured
This vulnerability could allow remote code execution if an attacker sends specially crafted data to a vulnerable EV server.
Affected Versions
All currently supported versions of Enterprise Vault versions: 14.2.1, 14.2, 14.1.3, 14.1.2, 14.1.1,
14.1, 14.0.1, 14.0, 12.5.3, 12.5.2, 12.5.1, 12.5. 12.4.2. 12.4.1. 12.4, 12.3.2, 12.3.1, 12.3,
12.2.3, 12.2.2, 12.2.1, 12.2, 12.1.3, 12.1.2, 12.1.1, 12.1, 12.0.4, 12.0.3, 12.0.2, 12.0.1, 12.0.
Earlier unsupported versions may be affected as well.
Mitigation
The Enterprise Vault server can be protected from such .NET Remoting attacks by applying the following guidelines:
- Ensure that only EV Administrators have access to the Enterprise Vault server as described in the Enterprise Vault Administrator’s Guide.
- Ensure only trusted users are part of the Remote Desktop Users group and have RDP access to the Enterprise Vault server.
- Ensure that the Enterprise Vault server firewall is enabled and properly configured as described in the Enterprise Vault Administrator’s Guide
- Ensure that the latest Windows updates have been installed on the Enterprise Vault server.
Questions
For questions or problems regarding these vulnerabilities please contact Veritas Technical Support (https://www.veritas.com/support)
Acknowledgement
Veritas would like to thank Markus Wulftange and Reno Robert working with Trend Micro’s Zero Day Initiative (ZDI) for notifying us of these vulnerabilities.
Disclaimer
THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
Veritas Technologies LLC
2625 Augustine Drive
Santa Clara, CA 95054