CVE-2020-36161

An issue was discovered in Veritas APTARE 10.4 before 10.4P9 and 10.5 before 10.5P3. By default, on Windows systems, users can create directories under C:\. A low privileged user can create a directory at the configuration file locations. When the Windows system restarts, a malicious OpenSSL engine could exploit arbitrary code execution as SYSTEM. This gives the attacker administrator access on the system, allowing the attacker (by default) to access all data, access all installed applications, etc.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 15%
VendorProductVersion
veritasaptare_it_analytics
10.4.00
veritasaptare_it_analytics
10.4.00:patch1
veritasaptare_it_analytics
10.4.00:patch2
veritasaptare_it_analytics
10.4.00:patch3
veritasaptare_it_analytics
10.4.00:patch4
veritasaptare_it_analytics
10.4.00:patch5
veritasaptare_it_analytics
10.4.00:patch6
veritasaptare_it_analytics
10.4.00:patch7
veritasaptare_it_analytics
10.4.00:patch8
veritasaptare_it_analytics
10.5.00
veritasaptare_it_analytics
10.5.00:patch1
𝑥
= Vulnerable software versions
References
https://www.veritas.com/content/support/en_US/security/VTS20-009
https://www.veritas.com/content/support/en_US/security/VTS20-009