Revision History

  • 1.0: December 23, 2020: Initial version
  • 1.1: January 8, 2021: Added CVE ID, updated description

Summary

As part of our ongoing testing process Veritas has discovered an issue where Veritas Enterprise Vault could allow an attacker to run arbitrary code with administrator privilege.

Issue

CVE ID: CVE-2020-36164
Severity: Critical
CVSS v3.1 Base Score: 9.3 (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

On start-up, the Enterprise Vault application loads the OpenSSL library. The OpenSSL library then attempts to load the openssl.cnf configuration file which does not exist at the following locations in both the System drive (typically C:\) and the Enterprise Vault installation drive (typically not C:\):

SMTP Server: \Isode\etc\ssl\openssl.cnf

By default, on Windows systems, users can create directories under C:\. A low privileged user on the Windows system without any privileges in Enterprise Vault can create a openssl.cnf configuration file at the paths specified above to load a malicious OpenSSL engine resulting in arbitrary code execution as SYSTEM when the service starts. This gives the attacker administrator access on the system, allowing the attacker (by default) to access all data, to access all installed applications, etc.

This vulnerability only affects Enterprise Vault server if the following component is enabled:

  • SMTP Server – SMTP Archiving

The Enterprise Vault client applications are not impacted.

Affected Versions

Enterprise Vault versions 14.0, 12.5.2, 12.5.1, 12.5. 12.4.2. 12.4.1. 12.4, 12.3.2, 12.3.1, 12.3, 12.2.3, 12.2.2, 12.2.1, 12.2, 12.1.3, 12.1.2, 12.1.1, 12.1, 12.0.4, 12.0.3, 12.0.2, 12.0.1, 12.0. Earlier unsupported versions may be affected as well.

Remediation

Customers under a current maintenance contract can upgrade and/or apply a patch if and when it is made available by Veritas.

Mitigation

Using an administrator account create the directories specified above and set the ACL on the directory to deny write access to all other users. This will prevent an attacker from installing a malicious OpenSSL engine.

Questions

For questions or problems regarding these vulnerabilities please contact Veritas Technical Support (https://www.veritas.com/support).