CVE-2020-36160

Name of the Vulnerable Software and Affected Versions: Veritas System Recovery versions prior to 21.2

Description: An issue in Veritas System Recovery allows a low-privileged user to create a malicious configuration file openssl.cnf in the C:usrlocalssl directory. This file can load a malicious OpenSSL engine, resulting in arbitrary code execution as SYSTEM when the service starts. This gives the attacker administrator access on the system, allowing them to access all data and installed applications. If the system is also an Active Directory domain controller, this can affect the entire domain.

Recommendations: For versions prior to 21.2, update to version 21.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the C:usrlocalssl directory to prevent low-privileged users from creating the malicious configuration file.