CVE-2024-53915
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on Veritas Enterprise Vault servers by sending malicious data to a .NET Remoting TCP port. The issue affects all versions before 15.2 due to insecure deserialization of untrusted data. Organizations running vulnerable versions of Enterprise Vault are at risk.
💻 Affected Systems
- Veritas Enterprise Vault
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to install malware, steal sensitive data, pivot to other systems, and maintain persistent access.
Likely Case
Remote code execution leading to data exfiltration, ransomware deployment, or creation of backdoors for future attacks.
If Mitigated
Limited impact if proper network segmentation and access controls prevent external access to the vulnerable service.
🎯 Exploit Status
The vulnerability involves .NET deserialization which has well-known exploitation patterns and tools. The ZDI-CAN-24405 identifier suggests it was reported through Zero Day Initiative's program.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 15.2 or later
Vendor Advisory: https://www.veritas.com/content/support/en_US/security/VTS24-014
Restart Required: Yes
Instructions:
1. Download Enterprise Vault 15.2 or later from Veritas support portal. 2. Backup current configuration and data. 3. Run the installer with administrative privileges. 4. Follow upgrade wizard. 5. Restart affected services or server as required.
🔧 Temporary Workarounds
Block .NET Remoting TCP Port
windowsRestrict network access to the vulnerable .NET Remoting TCP port using firewall rules.
netsh advfirewall firewall add rule name="Block EV .NET Remoting" dir=in action=block protocol=TCP localport=[PORT_NUMBER]
Disable .NET Remoting Service
windowsTemporarily disable the vulnerable .NET Remoting service component if not required.
sc stop "Enterprise Vault .NET Remoting Service"
sc config "Enterprise Vault .NET Remoting Service" start= disabled
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Enterprise Vault servers from untrusted networks
- Deploy application control solutions to prevent execution of unauthorized binaries on affected systems
🔍 How to Verify
Check if Vulnerable:
Check Enterprise Vault version in Administration Console under Help > About. If version is below 15.2, the system is vulnerable.Check Version:
Get-ItemProperty HKLM:\SOFTWARE\Veritas\Enterprise Vault\CurrentVersion | Select-Object VersionVerify Fix Applied:
Verify version is 15.2 or higher in Administration Console and test that .NET Remoting functionality still works for legitimate clients.📡 Detection & Monitoring
Log Indicators:
- Unusual .NET Remoting connection attempts
- Errors in Enterprise Vault application logs related to deserialization
- Unexpected process creation from Enterprise Vault services
Network Indicators:
- Unusual traffic to Enterprise Vault .NET Remoting TCP port (default 808)
- Suspicious serialized .NET objects in network traffic
SIEM Query:
source="EnterpriseVault" AND (event_id=5000 OR event_id=5001) AND message="*deserialization*" OR "*.NET Remoting*"