Arbitrary Code Execution Vulnerability in Veritas InfoScale and Storage Foundation Products
CVE-2020-36166

9.3CRITICAL

Key Information:

Vendor: Veritas
Status: Infoscale; Infoscale Operations Manager; Storage Foundation; Storage Foundation And High Availability
Vendor: CVE Published:; 6 January 2021

What is CVE-2020-36166?

A vulnerability exists in various versions of Veritas InfoScale and Storage Foundation on Windows, where a low privileged user can create a malicious OpenSSL configuration file that is loaded at service startup. This can lead to arbitrary code execution with SYSTEM privileges, potentially giving attackers full control over the affected system. The flaw arises due to the system's inability to validate the existence of necessary configuration files, allowing unauthorized modifications that facilitate access to sensitive data and applications.

References

https://www.veritas.com/content/support/en_US/security/VT...

x_refsource_MISC

CVSS V3.1

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 6, 2021
Vulnerability Reserved
Jan 6, 2021