search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Macrium Reflect is vulnerable to privilege escalation due to OPENSSLDIR location

Vulnerability Note VU#760767

Original Release Date: 2020-10-26 | Last Revised: 2020-11-11


Macrium Reflect contains a privilege escalation vulnerability due to the use of an OPENSSLDIR variable that specifies a location where an unprivileged Windows user can create files.



Macrium Reflect includes an OpenSSL component that specifies an OPENSSLDIR variable as C:\openssl\. Macrium Reflect contains a privileged service that uses this OpenSSL component. Because unprivileged Windows users can create subdirectories off of the system root, a user can create the appropriate path to a specially-crafted openssl.cnf file to achieve arbitrary code execution with SYSTEM privileges.


By placing a specially-crafted openssl.cnf in the C:\openssl\ directory, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable Macrium software installed.


Apply an update

This vulnerability is addressed in Macrium Reflect v7.3.5281.


This vulnerability was reported by Will Dormann of the CERT/CC.

This document was written by Will Dormann.

Vendor Information


Macrium Affected

Notified:  2020-09-23 Updated: 2020-11-11

Statement Date:   November 11, 2020

CVE-2020-10143 Affected

Vendor Statement

This vulnerability was introduced in the Macrium Reflect 7.2 series of releases, Reflect 6, 7.0 and 7.1 are not affected. All users of affected releases are entitled to a free upgrade to 7.3.5281 or later. We would like to thank to Will Dormann (@wdormann) for his diligence in reporting this to us.


Other Information

CVE IDs: CVE-2020-10143
Date Public: 2020-10-26
Date First Published: 2020-10-26
Date Last Updated: 2020-11-11 13:44 UTC
Document Revision: 4

Sponsored by CISA.