VTS24-014

Remote Code Execution Vulnerabilities in Veritas Enterprise Vault

Revision History

  • 1.0: November 15, 2024: Initial version
  • 2.0: December 3, 2024: CVE IDs, Version 14.5.2, and Discovery Accelerator, and Compliance Accelerator/Veritas Surveillance added

Summary

Veritas has discovered an issue where Veritas Enterprise Vault could allow Remote Code Execution on a vulnerable Enterprise Vault, Discovery Accelerator, and Compliance Accelerator/Veritas Surveillance Server.

  Issue Description Severity Identifier CVE ID

1

Deserialization of Untrusted Data Remote Code Execution Vulnerability

Critical

ZDI-CAN-24334

CVE-2024-53909

2

Deserialization of Untrusted Data Remote Code Execution Vulnerability

Critical

ZDI-CAN-24336

CVE-2024-53910

3

Deserialization of Untrusted Data Remote Code Execution Vulnerability

Critical

ZDI-CAN-24339

CVE-2024-53911

4

Deserialization of Untrusted Data Remote Code Execution Vulnerability

Critical

ZDI-CAN-24341

CVE-2024-53912

5

Deserialization of Untrusted Data Remote Code Execution Vulnerability

Critical

ZDI-CAN-24343

CVE-2024-53913

6

Deserialization of Untrusted Data Remote Code Execution Vulnerability

Critical

ZDI-CAN-24344

CVE-2024-53914

7

Deserialization of Untrusted Data Remote Code Execution Vulnerability

Critical

ZDI-CAN-24405

CVE-2024-53915

 

Issue

On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for possible commands from client applications. These TCP ports can be exploited due to vulnerabilities that are inherent to the .NET Remoting service. A malicious attacker can exploit both TCP remoting services and local IPC services on the Enterprise Vault and Discovery Accelerator, and Compliance Accelerator/Veritas Surveillance Server.

This vulnerability affects Enterprise Vault server if and only if all the following pre-requisites are fulfilled:

  • The malicious attacker has RDP access to one of the VMs in the network. In order to have RDP access the attacker needs to be part of the Remote Desktop Users group.
  • The malicious attacker knows the IP address of the EV server, the EV process IDs (random), EV TCP dynamic ports (random), EV remoteable object URIs.
  • The firewall on the EV server is not properly configured

This vulnerability could allow remote code execution if an attacker sends specially crafted data to a vulnerable EV server.

Affected Versions
All currently supported versions of Enterprise Vault versions: 15.1, 15.0, 15.0.1, 15.0.2, 14.5, 14.5.2, 14.5.1, 14.4, 14.4.1, 14.4.2, 14.3, 14.3.1, 14.3.2, 14.2, 14.2.3, 14.2.2, 14.2.1, 14.1.3, 14.1.2, 14.1.1, 14.1, 14.0.1, 14.0. Earlier unsupported versions may be affected as well.

Mitigation

The Enterprise Vault server can be protected from such .NET Remoting attacks by applying the following guidelines:

The Discovery Accelerator, and Compliance Accelerator/Veritas Surveillance server can be protected from such .NET Remoting attacks by applying the following guideline:

  • Ensure only trusted users are part of the Remote Desktop Users group and have RDP access to the respective server. On client machines, allow only legitimate Discovery Accelerator or Compliance Accelerator/Veritas Surveillance users to logon.
  • Ensure respective server firewall is enabled and properly configured so that it blocks all incoming traffic from port 8085 and 8086 from all machines except where the client applications are installed.

Veritas plans to remediate these vulnerabilities in Enterprise Vault 15.2, with General Availability expected in the third quarter of CY25.

Questions

For questions or problems regarding these vulnerabilities please contact Veritas Technical Support (https://www.veritas.com/support)

Acknowledgement

Veritas would like to thank Sina Kheirkhah working with Trend Micro’s Zero Day Initiative (ZDI) for notifying us of these vulnerabilities.

Disclaimer

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

Veritas Technologies LLC
2625 Augustine Drive
Santa Clara, CA 95054