{"vuid":"VU#429301","idnumber":"429301","name":"Veritas Backup Exec is vulnerable to privilege escalation due to OPENSSLDIR location","keywords":null,"overview":"### Overview\r\n\r\nVeritas Backup Exec contains a privilege escalation vulnerability due to the use of an `OPENSSLDIR` variable that specifies a location where an unprivileged Windows user can create files.\r\n\r\n### Description\r\n\r\n**CVE-2019-1552**\r\n\r\nVeritas Backup Exec includes an OpenSSL component that specifies an `OPENSSLDIR` variable as  `/usr/local/ssl/`. On the Windows platform, this path is interpreted as `C:\\usr\\local\\ssl`. Backup Exec contains a privileged service that uses this OpenSSL component. Because unprivileged Windows users can create subdirectories off of the system root, a user can create the appropriate path to a specially-crafted `openssl.cnf` file to achieve arbitrary code execution with SYSTEM privileges.\r\n\r\n### Impact\r\nBy placing a specially-crafted `openssl.cnf` in the `C:\\usr\\local\\ssl` directory, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable Veritas software installed.\r\n\r\n### Solution\r\n\r\n#### Apply an update\r\nThis vulnerability is [addressed](https://www.veritas.com/content/support/en_US/security/VTS20-010) in Backup Exec 21.1 [Hotfix 657517](https://www.veritas.com/content/support/en_US/downloads/update.UPD657517) (Engineering version 21.0.1200.1217) and Backup Exec 20.6 [Hotfix 298543](https://www.veritas.com/content/support/en_US/downloads/update.UPD298543) (Engineering version 20.0.1188.2734).\r\n\r\n#### Create a C:\\usr\\local\\ssl directory\r\nIn cases where an update cannot be installed, this vulnerability can be mitigated by creating a `C:\\usr\\local\\ssl` directory and restricting ACLs to prevent unprivileged users from being able to write to this location.\r\n\r\n### Acknowledgements\r\nThis vulnerability was reported by Will Dormann of the CERT/CC.\r\n\r\nThis document was written by Will Dormann.","clean_desc":null,"impact":null,"resolution":null,"workarounds":null,"sysaffected":null,"thanks":null,"author":null,"public":["https://www.veritas.com/content/support/en_US/security/VTS20-010","https://www.veritas.com/content/support/en_US/downloads/update.UPD657517","https://www.veritas.com/content/support/en_US/downloads/update.UPD298543"],"cveids":["CVE-2020-36167"],"certadvisory":null,"uscerttechnicalalert":null,"datecreated":"2020-12-23T20:15:31.419797Z","publicdate":"2020-12-23T20:15:31.248229Z","datefirstpublished":"2020-12-23T20:15:31.444044Z","dateupdated":"2021-01-06T18:37:26.989388Z","revision":3,"vrda_d1_directreport":null,"vrda_d1_population":null,"vrda_d1_impact":null,"cam_widelyknown":null,"cam_exploitation":null,"cam_internetinfrastructure":null,"cam_population":null,"cam_impact":null,"cam_easeofexploitation":null,"cam_attackeraccessrequired":null,"cam_scorecurrent":null,"cam_scorecurrentwidelyknown":null,"cam_scorecurrentwidelyknownexploited":null,"ipprotocol":null,"cvss_accessvector":null,"cvss_accesscomplexity":null,"cvss_authentication":null,"cvss_confidentialityimpact":null,"cvss_integrityimpact":null,"cvss_availabilityimpact":null,"cvss_exploitablity":null,"cvss_remediationlevel":null,"cvss_reportconfidence":null,"cvss_collateraldamagepotential":null,"cvss_targetdistribution":null,"cvss_securityrequirementscr":null,"cvss_securityrequirementsir":null,"cvss_securityrequirementsar":null,"cvss_basescore":null,"cvss_basevector":null,"cvss_temporalscore":null,"cvss_environmentalscore":null,"cvss_environmentalvector":null,"metric":null,"vulnote":34}