==================================================================== CERT-Renater Note d'Information No. 2021/VULN036 _____________________________________________________________________ DATE : 21/01/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Veritas Backup Exec versions prior to 21.1 Hotfix 657517 (Engineering version 21.0.1200.1217), 20.6 Hotfix 298543 (Engineering version 20.0.1188.2734). ===================================================================== https://kb.cert.org/vuls/id/429301 _____________________________________________________________________ Veritas Backup Exec is vulnerable to privilege escalation due to OPENSSLDIR location Vulnerability Note VU#429301 Original Release Date: 2020-12-23 | Last Revised: 2021-01-06 Overview Veritas Backup Exec contains a privilege escalation vulnerability due to the use of an OPENSSLDIR variable that specifies a location where an unprivileged Windows user can create files. Description CVE-2019-1552 Veritas Backup Exec includes an OpenSSL component that specifies an OPENSSLDIR variable as /usr/local/ssl/. On the Windows platform, this path is interpreted as C:\usr\local\ssl. Backup Exec contains a privileged service that uses this OpenSSL component. Because unprivileged Windows users can create subdirectories off of the system root, a user can create the appropriate path to a specially-crafted openssl.cnf file to achieve arbitrary code execution with SYSTEM privileges. Impact By placing a specially-crafted openssl.cnf in the C:\usr\local\ssl directory, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable Veritas software installed. Solution Apply an update This vulnerability is addressed in Backup Exec 21.1 Hotfix 657517 (Engineering version 21.0.1200.1217) and Backup Exec 20.6 Hotfix 298543 (Engineering version 20.0.1188.2734). Create a C:\usr\local\ssl directory In cases where an update cannot be installed, this vulnerability can be mitigated by creating a C:\usr\local\ssl directory and restricting ACLs to prevent unprivileged users from being able to write to this location. Acknowledgements This vulnerability was reported by Will Dormann of the CERT/CC. This document was written by Will Dormann. Vendor Information Veritas Technologies Affected Notified: 2020-11-11 Updated: 2020-12-23 CVE-2020-36167 Affected Vendor Statement We have not received a statement from the vendor. References https://www.veritas.com/content/support/en_US/security/VTS20-010 https://www.veritas.com/content/support/en_US/downloads/update.UPD657517 https://www.veritas.com/content/support/en_US/downloads/update.UPD298543 References https://www.veritas.com/content/support/en_US/security/VTS20-010 https://www.veritas.com/content/support/en_US/downloads/update.UPD657517 https://www.veritas.com/content/support/en_US/downloads/update.UPD298543 Other Information CVE IDs: CVE-2020-36167 Date Public: 2020-12-23 Date First Published: 2020-12-23 Date Last Updated: 2021-01-06 18:37 UTC Document Revision: 3 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================