Remote code execution vulnerabilities discovered in Veritas Enterprise Vault

Veritas Enterprise Vault (EV) is a software platform designed for enterprises that enables centralized archiving and management of corporate data, including emails, files, social media content, voicemails, and other information. EV is widely used in industries such as legal, finance, and healthcare, where long-term data retention and recovery are essential.

Several critical vulnerabilities have been discovered in Veritas Enterprise Vault that may allow attackers to execute remote code (Remote Code Execution, RCE). These vulnerabilities arise from the deserialization of untrusted data, and Veritas plans to address these issues in the upcoming Enterprise Vault 15.2 release. Until then, users are strongly advised to implement specific measures to secure their systems.

Vulnerability Details

Vulnerability Type: Deserialization of untrusted data leading to RCE.

CVE Identifiers:

• ZDI-CAN-24334
• ZDI-CAN-24336
• ZDI-CAN-24339
• ZDI-CAN-24341
• ZDI-CAN-24343
• ZDI-CAN-24344
• ZDI-CAN-24405

Severity Level: Critical.
CVSS v3.1 Base Score: 9.8

Description:
When started, the Enterprise Vault application activates multiple services that accept commands via .NET Remoting TCP ports. Vulnerabilities in the .NET Remoting protocol make these services susceptible to exploitation. An attacker could exploit these vulnerabilities by sending specially crafted data to a vulnerable Enterprise Vault server, potentially enabling remote code execution.

Affected Versions

All supported versions of Enterprise Vault:

• 15.x series: 15.1, 15.0, 15.0.1, 15.0.2
• 14.x series: 14.5, 14.5.1, 14.4, and other minor versions.
• Version 14.0: Including older unsupported versions, which may also be vulnerable.

Recommended Mitigation Steps

1. Restrict RDP Access:
   • Allow remote access only to trusted users.
   • Grant administrator privileges only to essential personnel.
2. Proper Firewall Configuration:
   • Ensure the Enterprise Vault server’s firewall is configured correctly to block unauthorized access.
3. Update Windows Systems:
   • Install the latest Windows security updates on the server.
4. Minimize Access:
   • Restrict access to the EV server to only necessary users.
   • Follow best practices for administrator security.
5. Implement Monitoring:
   • Continuously monitor for suspicious activity on the server and network. Use intrusion detection systems (IDS) and log monitoring to identify exploitation attempts.
6. Prepare for the Upcoming Update:
   • Upgrade to Enterprise Vault 15.2 as soon as it becomes available. This version is expected to be released in the third quarter of 2025.

The vulnerabilities identified in Enterprise Vault pose a significant threat to network security. Attackers may exploit them to execute remote code, potentially resulting in a loss of control over the system. Organizations must take the recommended actions immediately to ensure effective protection against these vulnerabilities.