Revision History

  • 1.0: December 23, 2020: Initial version
  • 1.1: January 8, 2021: Added CVE ID, updated description
  • 1.2: January 25, 2021: Updated Remediation and Mitigation sections

Summary

As part of our ongoing testing process Veritas has discovered an issue where Veritas Enterprise Vault could allow an attacker to run arbitrary code with administrator privilege.

Issue

CVE ID: CVE-2020-36164
Severity: Critical
CVSS v3.1 Base Score: 9.3 (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

On start-up, the Enterprise Vault application loads the OpenSSL library. The OpenSSL library then attempts to load the openssl.cnf configuration file which does not exist at the following locations in both the System drive (typically C:\) and the Enterprise Vault installation drive (typically not C:\):

SMTP Server: \Isode\etc\ssl\openssl.cnf

By default, on Windows systems, users can create directories under C:\. A low privileged user on the Windows system without any privileges in Enterprise Vault can create a openssl.cnf configuration file at the paths specified above to load a malicious OpenSSL engine resulting in arbitrary code execution as SYSTEM when the service starts. This gives the attacker administrator access on the system, allowing the attacker (by default) to access all data, to access all installed applications, etc.

This vulnerability only affects Enterprise Vault server if the following component is enabled:

  • SMTP Server – SMTP Archiving

The Enterprise Vault client applications are not impacted.

Affected Versions

Enterprise Vault versions 14.0, 12.5.2, 12.5.1, 12.5. 12.4.2. 12.4.1. 12.4, 12.3.2, 12.3.1, 12.3, 12.2.3, 12.2.2, 12.2.1, 12.2, 12.1.3, 12.1.2, 12.1.1, 12.1, 12.0.4, 12.0.3, 12.0.2, 12.0.1, 12.0. Earlier unsupported versions may be affected as well.

Remediation

Customers under a current maintenance contract can download and install updates and patches as described below:

If you are on Veritas Enterprise Vault 12.4.x or older, Veritas recommends that you upgrade to Enterprise Vault 12.5 and then install 12.5.3 Maintenance Release.

If you are on Veritas Enterprise Vault 14.0, Veritas recommends that you download and install Enterprise Vault Maintenance Release 14.0.1 as soon as it is available.

See the Veritas Download Center for available updates:(https://www.veritas.com/support/en_US/downloads)

Mitigation

If not using Enterprise Vault 12.5.3 then using an administrator account create the directories specified above and set the ACL on the directory to deny write access to all other users. This will prevent an attacker from installing a malicious OpenSSL engine. Please follow the steps as specified in this Knowledge Base (article.)

Questions

For questions or problems regarding these vulnerabilities please contact Veritas Technical Support (https://www.veritas.com/support).