search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Veritas Backup Exec is vulnerable to privilege escalation due to OPENSSLDIR location

Vulnerability Note VU#429301

Original Release Date: 2020-12-23 | Last Revised: 2021-01-06

Overview

Veritas Backup Exec contains a privilege escalation vulnerability due to the use of an OPENSSLDIR variable that specifies a location where an unprivileged Windows user can create files.

Description

CVE-2019-1552

Veritas Backup Exec includes an OpenSSL component that specifies an OPENSSLDIR variable as /usr/local/ssl/. On the Windows platform, this path is interpreted as C:\usr\local\ssl. Backup Exec contains a privileged service that uses this OpenSSL component. Because unprivileged Windows users can create subdirectories off of the system root, a user can create the appropriate path to a specially-crafted openssl.cnf file to achieve arbitrary code execution with SYSTEM privileges.

Impact

By placing a specially-crafted openssl.cnf in the C:\usr\local\ssl directory, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable Veritas software installed.

Solution

Apply an update

This vulnerability is addressed in Backup Exec 21.1 Hotfix 657517 (Engineering version 21.0.1200.1217) and Backup Exec 20.6 Hotfix 298543 (Engineering version 20.0.1188.2734).

Create a C:\usr\local\ssl directory

In cases where an update cannot be installed, this vulnerability can be mitigated by creating a C:\usr\local\ssl directory and restricting ACLs to prevent unprivileged users from being able to write to this location.

Acknowledgements

This vulnerability was reported by Will Dormann of the CERT/CC.

This document was written by Will Dormann.

Vendor Information

429301
 

Veritas Technologies Affected

Notified:  2020-11-11 Updated: 2020-12-23

CVE-2019-1552 Affected
CVE-2020-36167 Affected

Vendor Statement

We have not received a statement from the vendor.

References


Other Information

CVE IDs: CVE-2019-1552 CVE-2020-36167
Date Public: 2020-12-23
Date First Published: 2020-12-23
Date Last Updated: 2021-01-06 18:37 UTC
Document Revision: 3

Sponsored by CISA.