Veritas Enterprise Vault: Critical code smuggling flaws in archiving software
Attackers can exploit critical gaps in Vertia's Enterprise Vault to inject malicious code.
(Image: Zoomik/Shutterstock.com)
The email archiving and data storage software Veritas Enterprise Vault enables attackers to infiltrate and execute malicious code from the network. An update is apparently planned for later next year ("third quarter of CY25", presumably for Calendar Year 25). Until then, IT managers should take temporary countermeasures to make abuse of the vulnerabilities less likely.
Veritas points out the software errors in a security announcement. Trend Micro's Zero-Day Initiative (ZDI) has reported a total of seven security leaks classified as critical risks to Veritas. Without acknowledging the externally reported findings, Veritas writes: "Veritas has discovered an issue where Veritas Enterprise Vault allows code execution from the network on vulnerable Enterprise Vault servers".
No CVE vulnerability entries yet
There are currently no CVE vulnerability entries. However, Veritas writes that the vulnerabilities achieve a CVSS value of 9.8 and are therefore considered a critical security risk. When the Enterprise Vault app is started, it in turn starts services that listen for commands from client apps on random .Net remoting TCP ports. These TCP ports can be abused due to vulnerabilities originating from the .Net remoting service. Attackers can attack both TCP remoting services and local IPC services on the Enterprise Vault server. The vulnerability type is "Execution of malicious code from the network due to deserialization of untrusted data".
A number of conditions must be met for the vulnerabilities to be exploitable: Attackers must have RDP access to a VM on the network. To do this, they must gain access with an account that is a member of the RDP user group. Attackers must also know the IP address of the Enterprise Vault server, its random process IDs, the dynamically assigned TCP ports and the server's "Remotable Object" URIs. As a further hurdle, the firewall on the server must be inadequately configured. If these requirements are met – The CVSS value suggests that this sounds more difficult than it is in practice –, malicious actors can infiltrate and execute malicious code by sending prepared requests from the network.
All currently supported versions of Enterprise Vault are affected: 15.1, 15.0, 15.0.1, 15.0.2, 14.5, 14.5.1, 14.4, 14.4.1, 14.4.2, 14.3, 14.3.1, 14.3.2, 14.2, 14.2.3, 14.2.2, 14.2.1, 14.1.3, 14.1.2, 14.1.1, 14.1, 14.0.1 and 14.0. Older versions may also be vulnerable, but will no longer receive support.
Enterprise Vault 15.2 should provide a remedy. "General availability is expected in the third quarter of CY25" – CY is used as an abbreviation for Calendar Year, among other things. However, Veritas mentions temporary countermeasures that admins should take. Only Enterprise Vault admins should be granted access to the server. Only trusted users should be members of the RDP user group. They should also ensure that the firewall is properly configured and activated. Veritas links instructions for this in the message. It is also important to install Windows updates on the Entperise Vault Server.
A security vulnerability in Veritas Netbackup became known at the beginning of the month. It allows attackers to extend their rights in the system.
(dmk)