Code Execution Vulnerability in Veritas DLO Products
CVE-2020-36165

9.3CRITICAL

Key Information:

Vendor: Veritas
Status: Desktop And Laptop Option
Vendor: CVE Published:; 6 January 2021

Summary

A vulnerability in Veritas Desktop and Laptop Option (DLO) prior to version 9.4 allows a low privileged user to exploit the OpenSSL library loading mechanism. Upon service startup, the software attempts to load the OpenSSL configuration file from a specified directory, which is absent by default. By creating this missing configuration file in the accessible directory, a malicious user can redirect the loading process to a rogue OpenSSL engine. This action can result in arbitrary code execution with SYSTEM privileges, posing significant risks, including complete access to sensitive data and installed applications.

References

https://www.veritas.com/content/support/en_US/security/VT...

x_refsource_MISC

CVSS V3.1

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Jan 6, 2021
Vulnerability Reserved
Jan 6, 2021