- 1.0: December 23, 2020: Initial version
- 1.1: January 8, 2021: Added CVE ID, updated description
As part of our ongoing testing process Veritas has discovered an issue where Veritas Enterprise Vault could allow an attacker to run arbitrary code with administrator privilege.
On start-up, the Enterprise Vault application loads the OpenSSL library. The OpenSSL library then attempts to load the openssl.cnf configuration file which does not exist at the following locations in both the System drive (typically C:\) and the Enterprise Vault installation drive (typically not C:\):
SMTP Server: \Isode\etc\ssl\openssl.cnf
By default, on Windows systems, users can create directories under C:\. A low privileged user on the Windows system without any privileges in Enterprise Vault can create a openssl.cnf configuration file at the paths specified above to load a malicious OpenSSL engine resulting in arbitrary code execution as SYSTEM when the service starts. This gives the attacker administrator access on the system, allowing the attacker (by default) to access all data, to access all installed applications, etc.
This vulnerability only affects Enterprise Vault server if the following component is enabled:
- SMTP Server – SMTP Archiving
The Enterprise Vault client applications are not impacted.
Enterprise Vault versions 14.0, 12.5.2, 12.5.1, 12.5. 12.4.2. 12.4.1. 12.4, 12.3.2, 12.3.1, 12.3, 12.2.3, 12.2.2, 12.2.1, 12.2, 12.1.3, 12.1.2, 12.1.1, 12.1, 12.0.4, 12.0.3, 12.0.2, 12.0.1, 12.0. Earlier unsupported versions may be affected as well.
Customers under a current maintenance contract can upgrade and/or apply a patch if and when it is made available by Veritas.
Using an administrator account create the directories specified above and set the ACL on the directory to deny write access to all other users. This will prevent an attacker from installing a malicious OpenSSL engine.
For questions or problems regarding these vulnerabilities please contact Veritas Technical Support (https://www.veritas.com/support).