Revision History

  • 1.0: November 16, 2021: Initial version

Summary

Veritas has discovered an issue where Veritas Enterprise Vault could allow Remote Code Execution on a vulnerable Enterprise Vault Server.

Issue Description Severity Identifier

1

Deserialization of Untrusted Data Remote Code Execution Vulnerability

Critical

ZDI-CAN-14074

2

Deserialization of Untrusted Data Remote Code Execution Vulnerability

Critical

ZDI-CAN-14075

3

Deserialization of Untrusted Data Remote Code Execution Vulnerability

Critical

ZDI-CAN-14076

4

Deserialization of Untrusted Data Remote Code Execution Vulnerability

Critical

ZDI-CAN-14078

5

Deserialization of Untrusted Data Remote Code Execution Vulnerability

Critical

ZDI-CAN-14079

6

Deserialization of Untrusted Data Remote Code Execution Vulnerability

Critical

ZDI-CAN-14080

Issue

On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for possible commands from client applications. These TCP ports can be exploited due to vulnerabilities that are inherent to the .NET Remoting service. A malicious attacker can exploit both TCP remoting services and local IPC services on the Enterprise Vault Server.

This vulnerability affects Enterprise Vault server if and only if all the following pre-requisites are fulfilled:

  • The malicious attacker has RDP access to one of the VMs in the network. In order to have RDP access the attacker needs to be part of the Remote Desktop Users group.
  • The malicious attacker knows the IP address of the EV server, the EV process IDs (random), EV TCP dynamic ports (random), EV remoteable object URIs.
  • The firewall on the EV server is not properly configured

This vulnerability could allow remote code execution if an attacker sends specially crafted data to a vulnerable EV server.

Affected Versions
All currently supported versions of Enterprise Vault versions: 14.1.2, 14.1.1, 14.1, 14.0.1, 14.0, 12.5.3, 12.5.2, 12.5.1, 12.5. 12.4.2. 12.4.1. 12.4, 12.3.2, 12.3.1, 12.3, 12.2.3, 12.2.2, 12.2.1, 12.2, 12.1.3, 12.1.2, 12.1.1, 12.1, 12.0.4, 12.0.3, 12.0.2, 12.0.1, 12.0. Earlier unsupported versions may be affected as well.

Mitigation

The Enterprise Vault server can be protected from such .NET Remoting attacks by applying the following guidelines:

Questions

For questions or problems regarding these vulnerabilities please contact Veritas Technical Support (https://www.veritas.com/support)

Acknowledgement

Veritas would like to thank Markus Wulftange and Trend Micro’s Zero Day Initiative (ZDI) for notifying us of these vulnerabilities.

Disclaimer

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

Veritas Technologies LLC
2625 Augustine Drive
Santa Clara, CA 95054