CVE-2020-36162
First published: Wed Jan 06 2021(Updated: )
An issue was discovered in Veritas CloudPoint before 8.3.0.1+hotfix. The CloudPoint Windows Agent leverages OpenSSL. This OpenSSL library attempts to load the \usr\local\ssl\openssl.cnf configuration file, which does not exist. By default, on Windows systems users can create directories under <drive>:\. A low privileged user can create a <drive>:\usr\local\ssl\openssl.cnf configuration file to load a malicious OpenSSL engine, which may result in arbitrary code execution. This would give the attacker administrator access on the system, allowing the attacker (by default) to access all data, access all installed applications, etc.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Veritas NetBackup CloudPoint | =1.0 | |
| Veritas NetBackup CloudPoint | =1.0.2 | |
| Veritas NetBackup CloudPoint | =2.0 | |
| Veritas NetBackup CloudPoint | =2.0.1 | |
| Veritas NetBackup CloudPoint | =2.0.2 | |
| Veritas NetBackup CloudPoint | =2.1 | |
| Veritas NetBackup CloudPoint | =2.1.1 | |
| Veritas NetBackup CloudPoint | =2.1.2 | |
| Veritas NetBackup CloudPoint | =2.2 | |
| Veritas NetBackup CloudPoint | =2.2.1 | |
| Veritas NetBackup CloudPoint | =2.2.2 | |
| Veritas NetBackup CloudPoint | =8.3 | |
| Veritas NetBackup CloudPoint | =8.3.0.1 | |
| Microsoft Windows |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2020-36162?
The severity of CVE-2020-36162 is classified as medium risk, as it pertains to a configuration issue that could lead to potential exploitation.
How do I fix CVE-2020-36162?
To fix CVE-2020-36162, ensure that the OpenSSL configuration file \usr\local\ssl\openssl.cnf is properly created and configured.
Which versions of Veritas CloudPoint are affected by CVE-2020-36162?
CVE-2020-36162 affects Veritas CloudPoint versions 1.0 through 2.2.2 and Veritas Netbackup Cloudpoint 8.3 up until 8.3.0.1.
Is CVE-2020-36162 a critical vulnerability?
CVE-2020-36162 is not classified as a critical vulnerability, but it still poses a risk due to potential misconfigurations.
Can I mitigate CVE-2020-36162 without updating my software?
Yes, you can mitigate CVE-2020-36162 by creating the missing OpenSSL configuration file and ensuring it is correctly set up.
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/references
- agent/severity
- agent/last-modified-date
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/veritas
- canonical/veritas netbackup cloudpoint
- version/veritas netbackup cloudpoint/1.0
- version/veritas netbackup cloudpoint/1.0.2
- version/veritas netbackup cloudpoint/2.0
- version/veritas netbackup cloudpoint/2.0.1
- version/veritas netbackup cloudpoint/2.0.2
- version/veritas netbackup cloudpoint/2.1
- version/veritas netbackup cloudpoint/2.1.1
- version/veritas netbackup cloudpoint/2.1.2
- version/veritas netbackup cloudpoint/2.2
- version/veritas netbackup cloudpoint/2.2.1
- version/veritas netbackup cloudpoint/2.2.2
- version/veritas netbackup cloudpoint/8.3
- version/veritas netbackup cloudpoint/8.3.0.1
- vendor/microsoft
- canonical/microsoft windows