Calero VeraSMART exposes sensitive data and files on an open port

Summary

Old versions of Calero VeraSMART are leaving a critical port open to the internet, allowing anyone to read and write files, including sensitive data like passwords and encryption keys. This could be used to hack into the system or steal sensitive information. Update to the latest version of Calero VeraSMART to fix this issue.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
calero	verasmart	<= 2022.0	–
calero	verasmart	2022.0	–

Original title

Calero VeraSMART versions prior to 2022 R1 expose an unauthenticated .NET Remoting HTTP service on TCP port 8001. The service publishes default ObjectURIs (including EndeavorServer.rem and RemoteFi...

Original description

Calero VeraSMART versions prior to 2022 R1 expose an unauthenticated .NET Remoting HTTP service on TCP port 8001. The service publishes default ObjectURIs (including EndeavorServer.rem and RemoteFileReceiver.rem) and permits the use of SOAP and binary formatters with TypeFilterLevel set to Full. An unauthenticated remote attacker can invoke the exposed remoting endpoints to perform arbitrary file read and write operations via the WebClient class. This allows retrieval of sensitive files such as WebRoot\\web.config, which may disclose IIS machineKey validation and decryption keys. An attacker can use these keys to generate a malicious ASP.NET ViewState payload and achieve remote code execution within the IIS application context. Additionally, supplying a UNC path can trigger outbound SMB authentication from the service account, potentially exposing NTLMv2 hashes for relay or offline cracking.

nvd CVSS3.1 9.8

nvd CVSS4.0 10.0

Vulnerability type

CWE-306 Missing Authentication for Critical Function

CWE-502 Deserialization of Untrusted Data

https://www.calero.com/ Product
https://www.vulncheck.com/advisories/calero-verasmart-2022-r1-net-remoting-arbit... Third Party Advisory