- 1.0: February 28, 2020, Initial release
Veritas System Recovery is affected by Microsoft Windows CryptoAPI vulnerability CVE-2020-0601.
Veritas System Recovery is affected by Microsoft Windows CryptoAPI vulnerability CVE-2020-0601 that has to do with verifying ECC code signing certificates.
In February 2020 Microsoft published a security advisory for a critical issue in the Windows CryptoAPI which an attacker could exploit “by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.” There are instances when Veritas System Recovery (VSR) verifies code-signing certificates and could therefore be affected by this vulnerability. These instances are during:
- Initial installation of the product
- Installing an update of the product
- Physical to Virtual operation with VMware ESX server
All versions of VSR are affected when running on a vulnerable version of Windows. Unpatched versions of Windows 10, Windows Server 2016 and 2019 are vulnerable. All other versions of Windows are not vulnerable to the issue.
The only way to remediate the issue is to install the Windows update from Microsoft that fixes the vulnerability. There will be no update to VSR to address this issue as this vulnerability is in Microsoft Windows, not VSR.
All three instances where the vulnerability occurs can be mitigated by avoiding certain tasks:
- Do not perform an initial installation of VSR on a system until the Windows update has been installed.
- Do not install update VSR on a system until the Windows update has been installed.
- Do not perform a P2V operation on an ESX-related system until the Windows update has been installed on the system being protected.
Users may continue to perform backups and non-P2V restores on vulnerable systems without risking triggering the vulnerability.