Revision History

  • 1.0: December 23, 2020: Initial version
  • 1.1: January 8, 2021: Added CVE ID, updated the Mitigation section.

Summary

As part of our ongoing testing process Veritas has discovered an issue where Veritas InfoScale on Windows could allow an attacker to run arbitrary code with administrator privilege.

Issue

CVE ID: CVE-2020-36166
Severity: Critical
CVSS v3.1 Base Score: 9.3 (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

On start-up, the InfoScale application loads the OpenSSL library from \usr\local\ssl. This library attempts to load the \usr\local\ssl\openssl.cnf configuration file which may not exist. On Windows systems, this path could translate to <drive>:\usr\local\ssl\openssl.cnf, where <drive> could be the default Windows installation drive such as C:\ or the drive where the InfoScale product is installed. By default, on Windows systems, users can create directories under C:\. A low privileged user on the Windows system without any privileges in InfoScale can create a <drive>:\usr\local\ssl\openssl.cnf configuration file to load a malicious OpenSSL engine resulting in arbitrary code execution as SYSTEM when the service starts. This gives the attacker administrator access on the system, allowing the attacker (by default) to access all data, to access all installed applications, etc.

This vulnerability affects InfoScale Storage, Availability, Enterprise, Storage Foundation for Windows, Storage Foundation HA for Windows, and Veritas InfoScale Operations Manager (VIOM).

Affected Versions

Veritas InfoScale Windows versions 7.4.2, 7.4.1, 7.4, 7.3.1, 7.3, 7.2, 7.1, 7.0.1, 7.0, Storage Foundation HA for Windows 6.1, and Storage Foundation for Windows 6.1. Earlier unsupported versions may be affected as well.

Veritas InfoScale Operations Manager (VIOM) Windows Management Server versions 7.4.2, 7.4, 7.3.1, 7.3, 7.2, 7.1, 7.0. Earlier unsupported versions may be affected as well.

Non-Windows platforms are not affected.

Remediation

Customers under a current maintenance contract can upgrade and/or apply a patch if and when it is made available by Veritas.

Mitigation

On Windows implementations, using an administrator account, create the directory ‘\usr\local\ssl’ on system drive and on the drive where the InfoScale product is installed and set the ACL on the directory to deny write access to all other users. This will prevent an attacker from installing a malicious OpenSSL engine.

  • To find the system drive, run echo %SYSTEMDRIVE% on command prompt.
  • To find the drive where InfoScale is installed, run either echo %VMPATH% or echo %VCS_ROOT% on command prompt.

Example:

  • If the SYSTEMDRIVE is C: and InfoScale product is also installed on drive C: under path “C:\XYZ” then create following directory and set the ACL on the directory to deny write access to all other users.
    • C:\usr\local\ssl
  • If the SYSTEMDRIVE is C: and InfoScale product is installed on drive D: under path “D:\XYZ” then create following directories and set the ACL on the directories to deny write access to all other users.
    • C:\usr\local\ssl
    • D:\urs\local\ssl

Questions

For questions or problems regarding this vulnerability please contact Veritas Technical Support (https://www.veritas.com/support).