CVE-2020-36166

Name of the Vulnerable Software and Affected Versions: Veritas InfoScale versions 7.x through 7.4.2 Storage Foundation versions through 6.1 Storage Foundation HA versions through 6.1 InfoScale Operations Manager (aka VIOM) Windows Management Server versions 7.x through 7.4.2

Description: An issue allows a low-privileged user to create a malicious configuration file that can load a malicious OpenSSL engine, resulting in arbitrary code execution as SYSTEM when the service starts. This gives the attacker administrator access on the system, allowing the attacker to access all data and installed applications.

Recommendations: For Veritas InfoScale versions 7.x through 7.4.2, consider restricting access to the directory where the OpenSSL configuration file is loaded to prevent a low-privileged user from creating a malicious configuration file. For Storage Foundation versions through 6.1, restrict access to the directory where the OpenSSL configuration file is loaded to minimize the risk of exploitation. For Storage Foundation HA versions through 6.1, consider disabling the loading of the OpenSSL library from the usrlocalssl directory until a patch is available. For InfoScale Operations Manager (aka VIOM) Windows Management Server versions 7.x through 7.4.2, avoid using the default Windows installation drive to load the OpenSSL configuration file, and instead use a secure location to load the configuration file.