CVE-2020-36166
📋 TL;DR
This vulnerability allows low-privileged Windows users to achieve SYSTEM-level arbitrary code execution by planting a malicious OpenSSL configuration file in a predictable location. It affects Veritas InfoScale, Storage Foundation, and InfoScale Operations Manager on Windows systems. Attackers gain full administrator access to compromised systems.
💻 Affected Systems
- Veritas InfoScale
- Storage Foundation
- Storage Foundation HA
- InfoScale Operations Manager (VIOM) Windows Management Server
📦 What is this software?
Infoscale by Veritas
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling data theft, application access, persistence, and lateral movement across the network.
Likely Case
Local privilege escalation from low-privileged user to SYSTEM, leading to full control of affected servers and potential credential harvesting.
If Mitigated
Limited impact if proper file permissions prevent user creation in \usr\local\ssl directories or if affected services run with restricted privileges.
🎯 Exploit Status
Exploitation requires local user access to create files in specific directory. No authentication bypass needed beyond initial low-privileged access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply patches referenced in VTS20-014 advisory
Vendor Advisory: https://www.veritas.com/content/support/en_US/security/VTS20-014
Restart Required: Yes
Instructions:
1. Review VTS20-014 advisory for specific patch versions. 2. Apply vendor-provided patches. 3. Restart affected Veritas services. 4. Verify patch installation.
🔧 Temporary Workarounds
Restrict directory permissions
windowsSet restrictive permissions on \usr\local\ssl directories to prevent low-privileged users from creating files
icacls "C:\usr\local\ssl" /deny Users:(OI)(CI)F
icacls "D:\usr\local\ssl" /deny Users:(OI)(CI)F
Create dummy configuration file
windowsCreate a legitimate openssl.cnf file with secure permissions to prevent malicious file creation
echo # Secure configuration > "C:\usr\local\ssl\openssl.cnf"
icacls "C:\usr\local\ssl\openssl.cnf" /inheritance:r /grant "SYSTEM:F" "Administrators:F"
🧯 If You Can't Patch
- Implement strict file system permissions on all drive roots to prevent user creation in \usr directories
- Monitor for file creation events in \usr\local\ssl paths and investigate unauthorized changes
🔍 How to Verify
Check if Vulnerable:
Check if Veritas products are installed in affected versions and if \usr\local\ssl directories exist with writable permissions for low-privileged usersCheck Version:
Check Veritas product version through product management console or vendor documentationVerify Fix Applied:
Verify patch installation via vendor tools, check that \usr\local\ssl directories have restrictive permissions, and confirm openssl.cnf file permissions📡 Detection & Monitoring
Log Indicators:
- File creation events in \usr\local\ssl directories
- Veritas service restarts with unusual timing
- OpenSSL configuration loading errors
Network Indicators:
- Unusual outbound connections from Veritas services post-restart
SIEM Query:
EventID=4663 OR EventID=4656 AND ObjectName LIKE '%\usr\local\ssl%' AND SubjectUserName NOT IN ('SYSTEM','Administrators')