Impact of InfoScale Windows .Net Remoting Insecure Deserialization Vulnerability

A vulnerability was discovered in the Arctera InfoScale product where a .NET remoting endpoint can be exploited due to the insecure deserialization of potentially untrusted messages. The vulnerability is present in the Windows Plugin_Host service, which runs on all the servers where InfoScale is installed. The service is used only when applications are configured for Disaster Recovery (DR) using the DR wizard. Disabling the Plugin_Host service manually will eliminate the vulnerability.

Affected Versions

Arctera InfoScale Enterprise for Windows versions 7.0, 7.0.1, 7.1, 7.2, 7.3, 7.3.1, 7.4, 7.4.1, 7.4.2, 8.0, 8.0.1, and 8.0.2 are affected. The earlier unsupported versions of Arctera/Veritas InfoScale are also affected by this vulnerability.

About Remediation

To check updates on the remediation steps, please refer to the Security Advisory here:  

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.  VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION.  THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.