CVE-2020-36160

An issue was discovered in Veritas System Recovery before 21.2. On start-up, it loads the OpenSSL library from \usr\local\ssl. This library attempts to load the from \usr\local\ssl\openssl.cnf configuration file, which does not exist. By default, on Windows systems, users can create directories under C:\. A low privileged user can create a C:\usr\local\ssl\openssl.cnf configuration file to load a malicious OpenSSL engine, resulting in arbitrary code execution as SYSTEM when the service starts. This gives the attacker administrator access on the system, allowing the attacker (by default) to access all data and installed applications, etc. If the system is also an Active Directory domain controller, then this can affect the entire domain.

CVSS v3 9.3 CRITICAL
CVSS v2.0 7.2 HIGH

9.3^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 2.5 / Impact : 6.0

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

7.2^/10

CVSS v2.0 : HIGH

Vector : AV:L/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 3.9 / Impact : 10.0

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://www.veritas.com/content/support/en_US/security/VTS20-017	Vendor Advisory
https://www.veritas.com/content/support/en_US/security/VTS20-017	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:veritas:system_recovery:*:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

History

21 Nov 2024, 05:28

Type	Values Removed	Values Added
References	~~() https://www.veritas.com/content/support/en_US/security/VTS20-017 - Vendor Advisory~~	() https://www.veritas.com/content/support/en_US/security/VTS20-017 - Vendor Advisory
CVSS	v2 : ~~7.2~~ v3 : ~~8.8~~	v2 : 7.2 v3 : 9.3

Information

Published : 2021-01-06 01:15

Updated : 2024-11-21 05:28

NVD link : CVE-2020-36160

Mitre link : CVE-2020-36160

CVE.ORG link : CVE-2020-36160

JSON object : View

Products Affected

veritas

system_recovery

microsoft

windows

CWE

NVD-CWE-noinfo

{"id": "CVE-2020-36160", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.2, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "cve@mitre.org", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "LOCAL", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.5}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.0}]}, "published": "2021-01-06T01:15:12.747", "references": [{"url": "https://www.veritas.com/content/support/en_US/security/VTS20-017", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.veritas.com/content/support/en_US/security/VTS20-017", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Veritas System Recovery before 21.2. On start-up, it loads the OpenSSL library from \\usr\\local\\ssl. This library attempts to load the from \\usr\\local\\ssl\\openssl.cnf configuration file, which does not exist. By default, on Windows systems, users can create directories under C:\\. A low privileged user can create a C:\\usr\\local\\ssl\\openssl.cnf configuration file to load a malicious OpenSSL engine, resulting in arbitrary code execution as SYSTEM when the service starts. This gives the attacker administrator access on the system, allowing the attacker (by default) to access all data and installed applications, etc. If the system is also an Active Directory domain controller, then this can affect the entire domain."}, {"lang": "es", "value": "Se detect\u00f3 un problema en Veritas System Recovery versiones anteriores a 21.2. Al iniciarse, carga la biblioteca OpenSSL desde \\usr\\local\\ssl. Esta biblioteca intenta cargar el archivo de configuraci\u00f3n desde \\usr\\local\\ssl\\openssl.cnf, que no existe. Por defecto, en los sistemas Windows, los usuarios pueden crear directorios en C:\\. Un usuario poco privilegiado puede crear un archivo de configuraci\u00f3n C:\\usr\\local\\ssl\\openssl.cnf para cargar un motor OpenSSL malicioso, resultando en una ejecuci\u00f3n de c\u00f3digo arbitraria como SYSTEM cuando se inicia el servicio. Esto le otorga al atacante acceso de administrador al sistema, permitiendo al atacante (por defecto) acceder a todos los datos y aplicaciones instaladas, etc. Si el sistema tambi\u00e9n es un controlador de dominio de Active Directory, entonces esto puede afectar a todo el dominio"}], "lastModified": "2024-11-21T05:28:50.850", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:veritas:system_recovery:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "45D3164A-FD51-40C7-90D8-F1FF08CAC2A2", "versionEndExcluding": "21.2"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}