Headline
CVE-2021-44682: Remote Code Execution Vulnerabilities in Veritas Enterprise Vault
An issue (6 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for possible commands from client applications. These TCP services can be exploited due to deserialization behavior that is inherent to the .NET Remoting service. A malicious attacker can exploit both TCP remoting services and local IPC services on the Enterprise Vault Server. This vulnerability is mitigated by properly configuring the servers and firewall as described in the vendor’s security alert for this vulnerability (VTS21-003, ZDI-CAN-14079).
Summary
Veritas has discovered an issue where Veritas Enterprise Vault could allow Remote Code Execution on a vulnerable Enterprise Vault Server.
Issue
Description
Severity
Identifier
1
Deserialization of Untrusted Data Remote Code Execution Vulnerability
Critical
ZDI-CAN-14074
2
Deserialization of Untrusted Data Remote Code Execution Vulnerability
Critical
ZDI-CAN-14075
3
Deserialization of Untrusted Data Remote Code Execution Vulnerability
Critical
ZDI-CAN-14076
4
Deserialization of Untrusted Data Remote Code Execution Vulnerability
Critical
ZDI-CAN-14078
5
Deserialization of Untrusted Data Remote Code Execution Vulnerability
Critical
ZDI-CAN-14079
6
Deserialization of Untrusted Data Remote Code Execution Vulnerability
Critical
ZDI-CAN-14080
Issue
- CVE ID: To be assigned
- Severity: Critical
- CVSS v3.1 Base Score 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for possible commands from client applications. These TCP ports can be exploited due to vulnerabilities that are inherent to the .NET Remoting service. A malicious attacker can exploit both TCP remoting services and local IPC services on the Enterprise Vault Server.
This vulnerability affects Enterprise Vault server if and only if all the following pre-requisites are fulfilled:
- The malicious attacker has RDP access to one of the VMs in the network. In order to have RDP access the attacker needs to be part of the Remote Desktop Users group.
- The malicious attacker knows the IP address of the EV server, the EV process IDs (random), EV TCP dynamic ports (random), EV remoteable object URIs.
- The firewall on the EV server is not properly configured
This vulnerability could allow remote code execution if an attacker sends specially crafted data to a vulnerable EV server.
Affected Versions
All currently supported versions of Enterprise Vault versions: 14.1.2, 14.1.1, 14.1, 14.0.1, 14.0, 12.5.3, 12.5.2, 12.5.1, 12.5. 12.4.2. 12.4.1. 12.4, 12.3.2, 12.3.1, 12.3, 12.2.3, 12.2.2, 12.2.1, 12.2, 12.1.3, 12.1.2, 12.1.1, 12.1, 12.0.4, 12.0.3, 12.0.2, 12.0.1, 12.0. Earlier unsupported versions may be affected as well.
Disclaimer
THE SECURITY ADVISORY IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
Veritas Technologies LLC
2625 Augustine Drive
Santa Clara, CA 95054