CVE-2020-36167

moderate-risk

Published 2021-01-06

An issue was discovered in the server in Veritas Backup Exec through 16.2, 20.6 before hotfix 298543, and 21.1 before hotfix 657517. On start-up, it loads the OpenSSL library from the Installation folder. This library in turn attempts to load the /usr/local/ssl/openssl.cnf configuration file, which may not exist. On Windows systems, this path could translate to <drive>:\usr\local\ssl\openssl.cnf. A low privileged user can create a :\usr\local\ssl\openssl.cnf configuration file to load a malicious OpenSSL engine, resulting in arbitrary code execution as SYSTEM when the service starts. This gives the attacker administrator access on the system, allowing the attacker (by default) to access all data, access all installed applications, etc. If the system is also an Active Directory domain controller, then this can affect the entire domain.

Do I need to act?

0.05% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.3/10 Critical

LOCAL / LOW complexity

Affected Products (1)

Backup Exec

Affected Vendors

Veritas

References (4)

Third Party Advisory https://www.kb.cert.org/vuls/id/429301

Vendor Advisory https://www.veritas.com/content/support/en_US/security/VTS20-010

Third Party Advisory https://www.kb.cert.org/vuls/id/429301

Vendor Advisory https://www.veritas.com/content/support/en_US/security/VTS20-010

/ 100

moderate-risk

Severity 28/34 · Critical

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal