CVE-2024-53913
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on Veritas Enterprise Vault servers by sending malicious data to a .NET Remoting TCP port. The issue stems from deserialization of untrusted data, enabling remote code execution. Organizations running Enterprise Vault versions before 15.2 are affected.
💻 Affected Systems
- Veritas Enterprise Vault
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to install malware, steal sensitive data, pivot to other systems, and maintain persistent access.
Likely Case
Remote code execution leading to data theft, ransomware deployment, or system disruption.
If Mitigated
Limited impact with proper network segmentation and access controls preventing exploitation.
🎯 Exploit Status
ZDI-CAN-24343 indicates coordinated vulnerability disclosure; exploit likely exists in threat actor toolkits.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 15.2 or later
Vendor Advisory: https://www.veritas.com/content/support/en_US/security/VTS24-014
Restart Required: Yes
Instructions:
1. Download Enterprise Vault 15.2 or later from Veritas support portal. 2. Backup configuration and data. 3. Run installer with administrative privileges. 4. Restart Enterprise Vault services.
🔧 Temporary Workarounds
Network Segmentation
windowsRestrict access to Enterprise Vault .NET Remoting TCP port using firewall rules.
Windows Firewall: New-NetFirewallRule -DisplayName 'Block EV Remoting' -Direction Inbound -LocalPort [PORT_NUMBER] -Protocol TCP -Action Block
Disable .NET Remoting
windowsConfigure Enterprise Vault to disable .NET Remoting if not required.
Modify Enterprise Vault configuration files to remove or disable remoting endpoints
🧯 If You Can't Patch
- Implement strict network access controls to limit which systems can reach the vulnerable port
- Monitor for unusual network connections to the .NET Remoting port and suspicious process creation
🔍 How to Verify
Check if Vulnerable:
Check Enterprise Vault version in Administration Console or registry: HKEY_LOCAL_MACHINE\SOFTWARE\Veritas\Enterprise Vault\CurrentVersionCheck Version:
reg query "HKLM\SOFTWARE\Veritas\Enterprise Vault\CurrentVersion" /v VersionVerify Fix Applied:
Verify version is 15.2 or higher and test .NET Remoting functionality if required.📡 Detection & Monitoring
Log Indicators:
- Unusual .NET Remoting connections in Windows Event Logs
- Unexpected process creation from Enterprise Vault services
Network Indicators:
- Unusual traffic to Enterprise Vault .NET Remoting port (default 808)
- Suspicious serialized .NET objects in network traffic
SIEM Query:
source="windows" AND (event_id=4688 OR event_id=5156) AND process_name="EnterpriseVault*" AND dest_port=808