Revision History
- 1.0: December 23, 2020: Initial version
- 1.1: January 8, 2021: Added CVE ID
Summary
As part of our ongoing testing process Veritas has discovered an issue where Veritas VRP/NetBackup Resiliency Platform could allow an attacker to run arbitrary code with administrator privilege.
Issue
CVE ID: CVE-2020-36168
Severity: Critical
CVSS v3.1 Base Score: 9.3 (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
VRP/NetBackup Resiliency Platform leverages OpenSSL on Windows systems when using the Managed Host addon. On start-up, the VRP/NetBackup Resiliency Platform service loads the OpenSSL library. This library may attempt to load the openssl.cnf configuration file which does not exist. By default, on Windows systems, users can create directories under C:\. A low privileged user on the Windows system without any privileges in VRP/NetBackup Resiliency Platform can create a C:\usr\local\ssl\openssl.cnf configuration file to load a malicious OpenSSL engine resulting in arbitrary code execution as SYSTEM when the service starts. This gives the attacker administrator access on the system, allowing the attacker (by default) to access all data, to access all installed applications, etc.
This vulnerability affects VRP/NetBackup Resiliency Platform.
Affected Versions
VRP/NetBackup Resiliency Platform versions 3.4 and 3.5 are affected. Earlier unsupported versions may be affected as well.
Remediation
Customers under a current maintenance contract can download and install VRP/NetBackup Resiliency Platform v3.6 when available in January 2021 or apply a patch for v3.4 or v3.5. to fix the vulnerability.
See the Veritas Download Center for available updates: https://www.veritas.com/support/en_US/downloads
Mitigation
If not using VRP/NetBackup Resiliency Platform v3.6 or patched versions of 3.4 or 3.5 then using an administrator account create the directory ‘\usr\local\ssl’ under root of all drives and set the ACL on the directory to deny write access to all other users. This will prevent an attacker from installing a malicious OpenSSL engine.
Questions
For questions or problems regarding these vulnerabilities please contact Veritas Technical Support (https://www.veritas.com/support).