Revision History

  • 1.0: December 23, 2020: Initial version
  • 1.1: January 8, 2021: Added CVE ID, updated Description, Remediation and Mitigation sections, corrected Affected Versions

Summary

As part of our ongoing testing process Veritas has discovered an issue where the Veritas CloudPoint Windows agent could allow an attacker to run arbitrary code with administrator privilege.

Issue

CVE ID: CVE-2020-36162
Severity: Critical
CVSS v3.1 Base Score: 9.3 (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

The CloudPoint Windows Agent leverages OpenSSL. This OpenSSL library attempts to load the \usr\local\ssl\openssl.cnf configuration file which does not exist. By default, on Windows systems users can create directories under <drive>:\. A low privileged user on the Windows system without any privileges in CloudPoint can create a <drive>:\usr\local\ssl\openssl.cnf configuration file to load a malicious OpenSSL engine which may result in arbitrary code execution. This would give the attacker administrator access on the system, allowing the attacker (by default) to access all data, to access all installed applications, etc.

This vulnerability affects the CloudPoint Windows Agent only.

Affected Versions

NetBackup with CloudPoint versions 8.3.0.1, 8.3; and CloudPoint standalone versions 2.2.2, 2.2.1, 2.2, 2.1.2, 2.1.1, 2.1, 2.0.2, 2.0.1, 2.0, 1.0.2, 1.0.

Remediation

Customers under a current maintenance contract can download and install the upgrade to NetBackup 8.3.0.1 and apply the HotFix for NetBackup along with CloudPoint components.

Because of the critical nature of this vulnerability, CloudPoint standalone customers under a current maintenance contract are urged to upgrade and/or apply a patch if and when it is made available by Veritas.

See the Veritas Download Center for available updates: https://www.veritas.com/support/en_US/downloads

Mitigation

NOTE: Veritas strongly recommends running a HotFix'ed version.

  • Workaround
    • This workaround will lower the risk until the applicable HotFix is applied.
    • Using an administrator account create the directories listed below and set the ACL on the directory to deny write access to all other users.
      • If the directories already exist and the ACLs allow write access to other users, you must update the ACLs to only allow write access by the administrator accounts
    • o \usr\local\ssl
      • OS Installation Drive: For example, C:\usr\local\ssl
    • These directories should not be deleted.

Questions

For questions or problems regarding these vulnerabilities please contact Veritas Technical Support (https://www.veritas.com/support).