CVE-2020-36164 – This vulnerability allows low-privileged users ... (How to Fix)

Q: What is the severity of CVE-2020-36164?

CVE-2020-36164 has a CVSS score of 9.3 (CRITICAL). This vulnerability allows low-privileged users to achieve arbitrary code execution as SYSTEM by planting a malicious OpenSSL configuration file. It affects Veritas Enterprise Vault servers with specific components like SMTP Server, IMAP Server, or File System Archiving. Attackers gain full administrator access to compromised systems.

📋 TL;DR

This vulnerability allows low-privileged users to achieve arbitrary code execution as SYSTEM by planting a malicious OpenSSL configuration file. It affects Veritas Enterprise Vault servers with specific components like SMTP Server, IMAP Server, or File System Archiving. Attackers gain full administrator access to compromised systems.

💻 Affected Systems

Products:

Veritas Enterprise Vault

Versions: Through version 14.0

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects servers with specific components: MTP Server, SMTP Archiving IMAP Server, IMAP Archiving, Vault Cloud Adapter, NetApp File server, or File System Archiving for NetApp as File Server.

📦 What is this software?

Enterprise Vault by Veritas

View all CVEs affecting Enterprise Vault →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, allowing data theft, application access, and lateral movement within the network.

🟠

Likely Case

Privilege escalation from low-privileged user to SYSTEM, leading to full control of the affected server.

🟢

If Mitigated

Limited impact if proper file permissions prevent directory creation in system locations.

🌐 Internet-Facing: MEDIUM - Requires specific vulnerable components and ability to create directories, but could be exploited if services are exposed.

🏢 Internal Only: HIGH - Low-privileged internal users can exploit this to gain SYSTEM privileges on affected servers.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires low-privileged user access to create directories and files in system locations. Exploitation is straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 14.0 with patch or later versions

Vendor Advisory: https://www.veritas.com/content/support/en_US/security/VTS20-013

Restart Required: Yes

Instructions:

1. Download the patch from Veritas support portal. 2. Apply the patch to affected Enterprise Vault servers. 3. Restart the Enterprise Vault services.

🔧 Temporary Workarounds

Restrict directory creation permissions

windows

Prevent low-privileged users from creating directories in C:\ and installation drive root paths

icacls C:\ /deny Everyone:(OI)(CI)(WD,AD)

Create dummy openssl.cnf files

windows

Create read-only openssl.cnf files in vulnerable locations to prevent malicious file creation

echo # Safe config > C:\Isode\etc\ssl\openssl.cnf
icacls C:\Isode\etc\ssl\openssl.cnf /deny Everyone:(W)

🧯 If You Can't Patch

Implement strict file system permissions to prevent low-privileged users from creating directories in C:\ and installation drive roots
Monitor for directory creation attempts in vulnerable paths and investigate any unauthorized file creation

🔍 How to Verify

Check if Vulnerable:

Check if Enterprise Vault version is 14.0 or earlier and has vulnerable components installed. Verify if low-privileged users can create directories in C:\ and installation drive roots.

Check Version:

Check Enterprise Vault version in administration console or registry: HKEY_LOCAL_MACHINE\SOFTWARE\Veritas\Enterprise Vault\Version

Verify Fix Applied:

Verify patch installation through Enterprise Vault administration console and confirm directory permissions prevent low-privileged users from creating files in vulnerable paths.

📡 Detection & Monitoring

Log Indicators:

Windows Event Logs showing directory creation in C:\Isode\etc\ssl\ or similar paths
Enterprise Vault service restart events following suspicious file creation

Network Indicators:

Unusual outbound connections from Enterprise Vault servers following service restarts

SIEM Query:

EventID=4663 AND ObjectName LIKE '%openssl.cnf%' OR EventID=4688 AND NewProcessName LIKE '%openssl%'

📊 Metadata

CVE ID: CVE-2020-36164

CVSS v3 Score: 9.3 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Published: January 6, 2021

Last Updated: November 21, 2024

🔗 References

https://www.veritas.com/content/support/en_US/security/VTS20-013 Vendor Advisory
https://www.veritas.com/content/support/en_US/security/VTS20-013 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON