- 1.0: December 23, 2020: Initial version
- 1.1: January 8, 2021: Added CVE ID and updated Remediation section
Veritas has discovered an issue where Veritas Backup Exec could allow an attacker to run arbitrary code with administrator privilege.
CVE ID: CVE-2020-36167
CVSS v3.1 Base Score: 9.3 (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
On start-up, the Backup Exec service loads the OpenSSL library from the Backup Exec Installation folder. This library in turn attempts to load the /usr/local/ssl/openssl.cnf configuration file which may not exist. On Windows systems, this path could translate to <drive>:\usr\local\ssl\openssl.cnf, where <drive> could be the default Windows installation drive such as C:\ or the current root directory for the application. A low privileged user on the Windows system without any privileges in Backup Exec can create a <drive>:\usr\local\ssl\openssl.cnf configuration file to load a malicious OpenSSL engine resulting in arbitrary code execution as SYSTEM when the service starts. This gives the attacker administrator access on the system, allowing the attacker (by default) to access all data, to access all installed applications, etc. If the system is also an Active Directory domain controller then this can affect the entire domain.
This vulnerability only affects Backup Exec servers, it does not affect Backup Exec agents.
Backup Exec versions BE 20.x, BE 21.x and 16.x are affected. Earlier unsupported versions may be affected as well.
Customers under a current maintenance contract can download and install updates and patches as described below:
- If you are on BE 21.x:
- Install Backup Exec 21.1 Hotfix 657517 (Engineering version 21.0.1200.1217)
- If you are on BE 20.x:
- Install Backup Exec 20.6 Hotfix 298543 (Engineering version 20.0.1188.2734)
These hot fixes will be available in Veritas Update for automated download and installation.
If you are on Backup Exec version 16.x or older, Veritas recommends that you upgrade to Backup Exec 21.1 + patch.
See the Veritas Download Center for available updates: https://www.veritas.com/support/en_US/downloads
If not applying a recommended remediation listed above, use an administrator account to create the directory ‘\usr\local\ssl’ under root of all drives and set the ACL on the directory to deny write access to all other users. This will prevent an attacker from installing a malicious OpenSSL engine.
For questions or problems regarding this vulnerability please contact Veritas Technical Support (https://www.veritas.com/support).
Veritas would like to thank Will Dormann of the CERT/CC for notifying us of this vulnerability.