InfoScale Windows .Net Remoting Insecure Deserialization Vulnerability

Revision History

• 1.0: February 28, 2025: Initial version

Summary

A vulnerability was discovered in the Arctera InfoScale product where a .NET remoting endpoint can be exploited due to the insecure deserialization of potentially untrusted messages. The vulnerability is present in the Windows Plugin_Host service, which runs on all the servers where InfoScale is installed. The service is used only when applications are configured for Disaster Recovery (DR) using the DR wizard. Disabling the Plugin_Host service manually will eliminate the vulnerability.

Issue

CVE ID: To be announced

Severity: Critical

CVSS v3.1 Base Score 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CWE-502: Deserialization of Untrusted Data

Affected versions: Arctera InfoScale Enterprise for Windows versions 7.0, 7.0.1, 7.1, 7.2, 7.3, 7.3.1, 7.4, 7.4.1, 7.4.2, 8.0, 8.0.1, and 8.0.2 are affected. The earlier unsupported versions of Arctera/Veritas InfoScale are also affected by this vulnerability.

Mitigation

On each node in the InfoScale cluster, stop the Veritas Plug-in Host Service (Plugin_Host) service and set its Startup Type to Disabled.

Alternatively, you can choose to configure applications for DR manually, without the use of the vulnerable component.

For further information please refer to the following Arctera Technote:

• https://www.veritas.com/support/en_US/doc/infoscale_dr_manual_configuration

Acknowledgement

Arctera would like to thank Sina Kheirkhah (@SinSinology) of watchTowr (https://watchtowr.com) for notifying us of this vulnerability.

Questions

For questions or problems regarding these vulnerabilities please contact Arctera Technical Support (https://www.arctera.io/support).

Disclaimer

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.  ARCTERA US LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION.  THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

Arctera US LLC
6200 Stoneridge Mall Road, Suite 150
Pleasanton, CA 94588