CVE-2020-36166
First published: Wed Jan 06 2021(Updated: )
An issue was discovered in Veritas InfoScale 7.x through 7.4.2 on Windows, Storage Foundation through 6.1 on Windows, Storage Foundation HA through 6.1 on Windows, and InfoScale Operations Manager (aka VIOM) Windows Management Server 7.x through 7.4.2. On start-up, it loads the OpenSSL library from \usr\local\ssl. This library attempts to load the \usr\local\ssl\openssl.cnf configuration file, which may not exist. On Windows systems, this path could translate to <drive>:\usr\local\ssl\openssl.cnf, where <drive> could be the default Windows installation drive such as C:\ or the drive where a Veritas product is installed. By default, on Windows systems, users can create directories under any top-level directory. A low privileged user can create a <drive>:\usr\local\ssl\openssl.cnf configuration file to load a malicious OpenSSL engine, resulting in arbitrary code execution as SYSTEM when the service starts. This gives the attacker administrator access on the system, allowing the attacker (by default) to access all data, access all installed applications, etc.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Veritas InfoScale | >=7.0.0<=7.4.2 | |
| Veritas InfoScale Operations Manager | >=7.0.0<=7.4.2 | |
| Veritas Storage Foundation | <=6.1 | |
| Veritas Storage Foundation And High Availability | <=6.1 | |
| Microsoft Windows |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2020-36166?
CVE-2020-36166 is an issue discovered in Veritas InfoScale, Storage Foundation, and InfoScale Operations Manager on Windows.
What is the severity of CVE-2020-36166?
CVE-2020-36166 has a severity rating of 8.8 (critical).
Which software versions are affected by CVE-2020-36166?
Veritas InfoScale versions 7.0.0 through 7.4.2, Veritas InfoScale Operations Manager versions 7.0.0 through 7.4.2, Veritas Storage Foundation up to version 6.1, and Veritas Storage Foundation and High Availability up to version 6.1 are affected by CVE-2020-36166.
How can I fix CVE-2020-36166?
To fix CVE-2020-36166, it is recommended to update Veritas InfoScale, InfoScale Operations Manager, Storage Foundation, and Storage Foundation and High Availability to versions 7.4.3 or later.
Where can I find more information about CVE-2020-36166?
You can find more information about CVE-2020-36166 on the official Veritas website at https://www.veritas.com/content/support/en_US/security/VTS20-014.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/references
- agent/severity
- agent/last-modified-date
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- vendor/veritas
- canonical/veritas infoscale
- version/veritas infoscale/7.0.0
- version/veritas infoscale/7.4.2
- canonical/veritas infoscale operations manager
- version/veritas infoscale operations manager/7.0.0
- version/veritas infoscale operations manager/7.4.2
- canonical/veritas storage foundation
- version/veritas storage foundation/6.1
- canonical/veritas storage foundation and high availability
- version/veritas storage foundation and high availability/6.1
- vendor/microsoft
- canonical/microsoft windows