CVE-2021-44680
📋 TL;DR
This vulnerability allows remote code execution on Veritas Enterprise Vault servers through insecure .NET Remoting services. Attackers can exploit deserialization flaws in TCP services that listen on random ports during startup. All Enterprise Vault servers through version 14.1.2 are affected unless properly configured.
💻 Affected Systems
- Veritas Enterprise Vault
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary code with SYSTEM privileges, potentially leading to data theft, ransomware deployment, or lateral movement across the network.
Likely Case
Remote code execution leading to installation of backdoors, credential harvesting, or deployment of malware on the Enterprise Vault server.
If Mitigated
Limited to authenticated attackers or blocked by proper firewall rules and service hardening.
🎯 Exploit Status
Exploitation requires network access to the random TCP ports used by .NET Remoting services. No authentication is required for the vulnerable services.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14.1.2 with hotfix or later versions
Vendor Advisory: https://www.veritas.com/content/support/en_US/security/VTS21-003
Restart Required: Yes
Instructions:
1. Download the security hotfix from Veritas support portal. 2. Apply the patch following vendor instructions. 3. Restart the Enterprise Vault services. 4. Verify the fix by checking service configurations.
🔧 Temporary Workarounds
Disable .NET Remoting Services
windowsConfigure Enterprise Vault to disable vulnerable .NET Remoting TCP services
Configure via Enterprise Vault Administration Console: Disable .NET Remoting for all services
Firewall Restrictions
windowsBlock all inbound connections to random high ports on Enterprise Vault servers
netsh advfirewall firewall add rule name="Block EV Remoting" dir=in action=block protocol=TCP localport=1024-65535
🧯 If You Can't Patch
- Implement strict network segmentation and firewall rules to block all inbound connections to Enterprise Vault servers except from authorized management systems.
- Disable all unnecessary .NET Remoting services and implement application whitelisting to prevent execution of unauthorized binaries.
🔍 How to Verify
Check if Vulnerable:
Check if Enterprise Vault version is 14.1.2 or earlier and if .NET Remoting TCP services are running on random ports (netstat -an | findstr LISTENING | findstr :[high port])Check Version:
Check Enterprise Vault version in Administration Console or registry: HKEY_LOCAL_MACHINE\SOFTWARE\Veritas\Enterprise Vault\CurrentVersionVerify Fix Applied:
Verify patch is applied by checking version in Enterprise Vault Administration Console and confirm .NET Remoting services are disabled or properly secured.📡 Detection & Monitoring
Log Indicators:
- Unusual .NET Remoting connections in Windows Event Logs
- Failed authentication attempts to Enterprise Vault services
- Unexpected process creation from Enterprise Vault services
Network Indicators:
- Unexpected connections to high TCP ports (1024-65535) on Enterprise Vault servers
- .NET Remoting protocol traffic to non-standard ports
SIEM Query:
source="windows" AND (event_id=4688 OR event_id=4625) AND process_name="EnterpriseVault*" AND dest_port>1023