VTS24-014

Remote Code Execution Vulnerabilities in Veritas Enterprise Vault

Revision History

1.0: November 15, 2024: Initial version
2.0: December 3, 2024: CVE IDs, Version 14.5.2, and Discovery Accelerator, and Compliance Accelerator/Veritas Surveillance added

Summary

Veritas has discovered an issue where Veritas Enterprise Vault could allow Remote Code Execution on a vulnerable Enterprise Vault, Discovery Accelerator, and Compliance Accelerator/Veritas Surveillance Server.

	Issue Description	Severity	Identifier	CVE ID
1	Deserialization of Untrusted Data Remote Code Execution Vulnerability	Critical	ZDI-CAN-24334	CVE-2024-53909
2	Deserialization of Untrusted Data Remote Code Execution Vulnerability	Critical	ZDI-CAN-24336	CVE-2024-53910
3	Deserialization of Untrusted Data Remote Code Execution Vulnerability	Critical	ZDI-CAN-24339	CVE-2024-53911
4	Deserialization of Untrusted Data Remote Code Execution Vulnerability	Critical	ZDI-CAN-24341	CVE-2024-53912
5	Deserialization of Untrusted Data Remote Code Execution Vulnerability	Critical	ZDI-CAN-24343	CVE-2024-53913
6	Deserialization of Untrusted Data Remote Code Execution Vulnerability	Critical	ZDI-CAN-24344	CVE-2024-53914
7	Deserialization of Untrusted Data Remote Code Execution Vulnerability	Critical	ZDI-CAN-24405	CVE-2024-53915

Issue

CVE ID: See above
Severity: Critical
CVSS v3.1 Base Score 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for possible commands from client applications. These TCP ports can be exploited due to vulnerabilities that are inherent to the .NET Remoting service. A malicious attacker can exploit both TCP remoting services and local IPC services on the Enterprise Vault and Discovery Accelerator, and Compliance Accelerator/Veritas Surveillance Server.

This vulnerability affects Enterprise Vault server if and only if all the following pre-requisites are fulfilled:

The malicious attacker has RDP access to one of the VMs in the network. In order to have RDP access the attacker needs to be part of the Remote Desktop Users group.
The malicious attacker knows the IP address of the EV server, the EV process IDs (random), EV TCP dynamic ports (random), EV remoteable object URIs.
The firewall on the EV server is not properly configured

This vulnerability could allow remote code execution if an attacker sends specially crafted data to a vulnerable EV server.

Affected Versions
All currently supported versions of Enterprise Vault versions: 15.1, 15.0, 15.0.1, 15.0.2, 14.5, 14.5.2, 14.5.1, 14.4, 14.4.1, 14.4.2, 14.3, 14.3.1, 14.3.2, 14.2, 14.2.3, 14.2.2, 14.2.1, 14.1.3, 14.1.2, 14.1.1, 14.1, 14.0.1, 14.0. Earlier unsupported versions may be affected as well.

Mitigation

The Enterprise Vault server can be protected from such .NET Remoting attacks by applying the following guidelines:

Ensure that only EV Administrators have access to the Enterprise Vault server as described in the Enterprise Vault Administrator’s Guide.
- See Managing Administrator Security
Ensure only trusted users are part of the Remote Desktop Users group and have RDP access to the Enterprise Vault server.
Ensure that the Enterprise Vault server firewall is enabled and properly configured as described in the Enterprise Vault Administrator’s Guide
- See: Firewall settings for Enterprise Vault programs
Ensure that the latest Windows updates have been installed on the Enterprise Vault server.

The Discovery Accelerator, and Compliance Accelerator/Veritas Surveillance server can be protected from such .NET Remoting attacks by applying the following guideline:

Ensure only trusted users are part of the Remote Desktop Users group and have RDP access to the respective server. On client machines, allow only legitimate Discovery Accelerator or Compliance Accelerator/Veritas Surveillance users to logon.
Ensure respective server firewall is enabled and properly configured so that it blocks all incoming traffic from port 8085 and 8086 from all machines except where the client applications are installed.

Veritas plans to remediate these vulnerabilities in Enterprise Vault 15.2, with General Availability expected in the third quarter of CY25.

Questions

For questions or problems regarding these vulnerabilities please contact Veritas Technical Support (https://www.veritas.com/support)

Acknowledgement

Veritas would like to thank Sina Kheirkhah working with Trend Micro’s Zero Day Initiative (ZDI) for notifying us of these vulnerabilities.

Disclaimer

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

Veritas Technologies LLC
2625 Augustine Drive
Santa Clara, CA 95054