CVE-2020-36162 – This vulnerability allows low-privileged Window... (How to Fix)

Q: What is the severity of CVE-2020-36162?

CVE-2020-36162 has a CVSS score of 9.3 (CRITICAL). This vulnerability allows low-privileged Windows users to achieve arbitrary code execution with administrator privileges in Veritas CloudPoint. By creating a malicious OpenSSL configuration file at a predictable location, attackers can load a malicious engine and gain full system control. This affects Veritas CloudPoint Windows Agent installations before version 8.3.0.1+hotfix.

📋 TL;DR

This vulnerability allows low-privileged Windows users to achieve arbitrary code execution with administrator privileges in Veritas CloudPoint. By creating a malicious OpenSSL configuration file at a predictable location, attackers can load a malicious engine and gain full system control. This affects Veritas CloudPoint Windows Agent installations before version 8.3.0.1+hotfix.

💻 Affected Systems

Products:

Veritas CloudPoint Windows Agent

Versions: All versions before 8.3.0.1+hotfix

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Windows installations where low-privileged users can create directories at the root of drives.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with administrator privileges, allowing data theft, application access, and persistent backdoor installation.

🟠

Likely Case

Privilege escalation from low-privileged user to SYSTEM/administrator level, enabling lateral movement and data exfiltration.

🟢

If Mitigated

Limited impact if proper access controls prevent low-privileged users from creating files in root directories.

🌐 Internet-Facing: LOW (requires local access to the Windows system)

🏢 Internal Only: HIGH (any low-privileged user on affected systems can potentially exploit this)

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access and ability to create files at specific path. The technique is well-documented for OpenSSL configuration hijacking.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.3.0.1+hotfix

Vendor Advisory: https://www.veritas.com/content/support/en_US/security/VTS20-011

Restart Required: Yes

Instructions:

1. Download patch from Veritas support portal. 2. Stop CloudPoint services. 3. Apply the hotfix. 4. Restart services and verify functionality.

🔧 Temporary Workarounds

Restrict directory creation permissions

windows

Prevent low-privileged users from creating directories at root level of drives

icacls C:\ /deny "Users":(OI)(CI)W
icacls D:\ /deny "Users":(OI)(CI)W

Create dummy configuration file

windows

Create the expected openssl.cnf file with secure permissions to prevent hijacking

mkdir C:\usr\local\ssl
echo # Secure config > C:\usr\local\ssl\openssl.cnf
icacls C:\usr\local\ssl\openssl.cnf /inheritance:r /grant "SYSTEM":F /grant "Administrators":F

🧯 If You Can't Patch

Implement strict access controls preventing low-privileged users from creating files/directories at root of drives
Monitor for creation of openssl.cnf files in unexpected locations and alert on suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check CloudPoint Agent version via Control Panel > Programs and Features, or run 'wmic product where name="Veritas CloudPoint Agent" get version'

Check Version:

wmic product where name="Veritas CloudPoint Agent" get version

Verify Fix Applied:

Verify version is 8.3.0.1 or later, and check that C:\usr\local\ssl\openssl.cnf either doesn't exist or has secure permissions

📡 Detection & Monitoring

Log Indicators:

File creation events at C:\usr\local\ssl\openssl.cnf by non-admin users
Process creation from CloudPoint agent loading unexpected DLLs

Network Indicators:

Unusual outbound connections from CloudPoint agent processes

SIEM Query:

EventID=4663 OR EventID=4656 AND ObjectName="*openssl.cnf" AND SubjectUserName NOT IN ("SYSTEM", "Administrator*")

📊 Metadata

CVE ID: CVE-2020-36162

CVSS v3 Score: 9.3 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Published: January 6, 2021

Last Updated: November 21, 2024

🔗 References

https://www.veritas.com/content/support/en_US/security/VTS20-011 Vendor Advisory
https://www.veritas.com/content/support/en_US/security/VTS20-011 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Cloudpoint by Veritas

Cloudpoint by Veritas

Cloudpoint by Veritas

Cloudpoint by Veritas

Cloudpoint by Veritas

Cloudpoint by Veritas

Cloudpoint by Veritas

Cloudpoint by Veritas

Cloudpoint by Veritas

Cloudpoint by Veritas

Cloudpoint by Veritas

Netbackup Cloudpoint by Veritas

Netbackup Cloudpoint by Veritas

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict directory creation permissions

Create dummy configuration file

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export