CVE-2020-36166 in InfoScaleinfo

Summary

by MITRE • 01/06/2021

An issue was discovered in Veritas InfoScale 7.x through 7.4.2 on Windows, Storage Foundation through 6.1 on Windows, Storage Foundation HA through 6.1 on Windows, and InfoScale Operations Manager (aka VIOM) Windows Management Server 7.x through 7.4.2. On start-up, it loads the OpenSSL library from \usr\local\ssl. This library attempts to load the \usr\local\ssl\openssl.cnf configuration file, which may not exist. On Windows systems, this path could translate to &lt;drive&gt;:\usr\local\ssl\openssl.cnf, where &lt;drive&gt; could be the default Windows installation drive such as C:\ or the drive where a Veritas product is installed. By default, on Windows systems, users can create directories under any top-level directory. A low privileged user can create a &lt;drive&gt;:\usr\local\ssl\openssl.cnf configuration file to load a malicious OpenSSL engine, resulting in arbitrary code execution as SYSTEM when the service starts. This gives the attacker administrator access on the system, allowing the attacker (by default) to access all data, access all installed applications, etc.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Disclosure

01/06/2021

Moderation

accepted

Entry

VDB-167315

CPE

ready

CWE

CWE-275 (confirmed)

CVSS

8.8 (VulDB)

EPSS

0.00431

KEV

Activities

very low

Sources

MITRE	https://www.cve.org/CVERecord?id=CVE-2020-36166
NVD	https://nvd.nist.gov/vuln/detail/CVE-2020-36166
CVE Details	https://www.cvedetails.com/cve/CVE-2020-36166/

◂ Previous Overview Next ▸

Interested in the pricing of exploits?

See the underground prices here!