APTARE OpenSSL advisory

Revision History

1.0: December 23, 2020: Initial version
1.1: January 8, 2021: Added CVE ID, updated Remediation and Mitigation sections

Summary

As part of our ongoing testing process Veritas has discovered an issue where Veritas APTARE IT Analytics could allow an attacker to run arbitrary code with administrator privilege.

Issue

CVE ID: CVE-2020-36161
Severity: Critical
CVSS v3.1 Base Score: 9.3 (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

On start-up, the APTARE application loads OpenSSL and this library attempts to load the configuration file which does not exist from the following locations:

APTARE 10.4, and prior: \apache24\conf\openssl.cnf
APTARE 10.5: \usr\local\ssl\openssl.cnf

By default, on Windows systems, users can create directories under C:\. A low privileged user on the Windows system without any privileges in APTARE can create a directory at the configuration file locations above. When the Windows system restarts, a malicious OpenSSL engine could exploit arbitrary code execution as SYSTEM. This gives the attacker administrator access on the system, allowing the attacker (by default) to access all data, to access all installed applications, etc. In addition, a related vulnerability which enables similar access exists in the Openssl executables Veritas distributes with APTARE for Linux servers.

Affected Versions

APTARE IT Analytics versions 10.5 and 10.4.

Remediation

Customers under a current maintenance contract can download and install updates and patches as described below:

If you are on APTARE IT Analytics 10.5:

Install APTARE IT Analytics Maintenance release 10.5P3

If you are on APTARE IT Analytics 10.4:

Install APTARE IT Analytics Maintenance release 10.4P9

These maintenance releases are available in Veritas Update for automated download and installation.

If you are on APTARE IT Analytics 10.3 or older, Veritas recommends that you upgrade to APTARE IT Analytics 10.5.

See the Veritas Download Center for available updates: https://www.veritas.com/support/en_US/downloads

Mitigation

On Windows implementations, using an administrator account, create the directory paths listed above and set the ACL on the directory to deny write access to all other users. This will prevent an attacker from installing a malicious OpenSSL engine. In addition, remove the OpenSSL executable on Windows C:\opt\apache\bin\openssl.exe and/or on Linux /opt/apache/ssl/bin/openssl. For more detailed manual steps, please see the APTARE IT Analytics Security Vulnerability Support Article.

Questions

For questions or problems regarding these vulnerabilities please contact Veritas Technical Support (https://www.veritas.com/support).