- 1.0: December 23, 2020: Initial version
- 1.1: January 8, 2021: Added CVE ID, updated description
- 1.2: January 25, 2021: Updated Remediation and Mitigation sections
As part of our ongoing testing process Veritas has discovered an issue where Veritas Enterprise Vault could allow an attacker to run arbitrary code with administrator privilege.
On start-up, the Enterprise Vault application loads the OpenSSL library. The OpenSSL library then attempts to load the openssl.cnf configuration file which does not exist at the following locations in both the System drive (typically C:\) and the Enterprise Vault installation drive (typically not C:\):
SMTP Server: \Isode\etc\ssl\openssl.cnf
By default, on Windows systems, users can create directories under C:\. A low privileged user on the Windows system without any privileges in Enterprise Vault can create a openssl.cnf configuration file at the paths specified above to load a malicious OpenSSL engine resulting in arbitrary code execution as SYSTEM when the service starts. This gives the attacker administrator access on the system, allowing the attacker (by default) to access all data, to access all installed applications, etc.
This vulnerability only affects Enterprise Vault server if the following component is enabled:
- SMTP Server – SMTP Archiving
The Enterprise Vault client applications are not impacted.
Enterprise Vault versions 14.0, 12.5.2, 12.5.1, 12.5. 12.4.2. 12.4.1. 12.4, 12.3.2, 12.3.1, 12.3, 12.2.3, 12.2.2, 12.2.1, 12.2, 12.1.3, 12.1.2, 12.1.1, 12.1, 12.0.4, 12.0.3, 12.0.2, 12.0.1, 12.0. Earlier unsupported versions may be affected as well.
Customers under a current maintenance contract can download and install updates and patches as described below:
- If you are on Enterprise Vault 12.5.x:
- Install Enterprise Vault (Maintenance Release 12.5.3)
If you are on Veritas Enterprise Vault 12.4.x or older, Veritas recommends that you upgrade to Enterprise Vault 12.5 and then install 12.5.3 Maintenance Release.
If you are on Veritas Enterprise Vault 14.0, Veritas recommends that you download and install Enterprise Vault Maintenance Release 14.0.1 as soon as it is available.
See the Veritas Download Center for available updates:(https://www.veritas.com/support/en_US/downloads)
If not using Enterprise Vault 12.5.3 then using an administrator account create the directories specified above and set the ACL on the directory to deny write access to all other users. This will prevent an attacker from installing a malicious OpenSSL engine. Please follow the steps as specified in this Knowledge Base (article.)
For questions or problems regarding these vulnerabilities please contact Veritas Technical Support (https://www.veritas.com/support).