CVE-2020-36161

moderate-risk
Published 2021-01-06

An issue was discovered in Veritas APTARE 10.4 before 10.4P9 and 10.5 before 10.5P3. By default, on Windows systems, users can create directories under C:\. A low privileged user can create a directory at the configuration file locations. When the Windows system restarts, a malicious OpenSSL engine could exploit arbitrary code execution as SYSTEM. This gives the attacker administrator access on the system, allowing the attacker (by default) to access all data, access all installed applications, etc.

Do I need to act?

-
0.05% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10 High
LOCAL / LOW complexity

Affected Products (11)

Aptare It Analytics
Aptare It Analytics
Aptare It Analytics
Aptare It Analytics
Aptare It Analytics
Aptare It Analytics
Aptare It Analytics
Aptare It Analytics
Aptare It Analytics
Aptare It Analytics
Aptare It Analytics

Affected Vendors

Veritas

References (2)

Vendor Advisory https://www.veritas.com/content/support/en_US/security/VTS20-009
Vendor Advisory https://www.veritas.com/content/support/en_US/security/VTS20-009
43
/ 100
moderate-risk
Severity 27/34 · High
Exploitability 0/34 · Minimal
Exposure 16/34 · Moderate