VDB

GCVE-110-CERTCC-2020-429301

GCVE-110-CERTCC-2020-429301
Advisory Published
Vulnetix · Advisory published December 23, 2020
### Overview Veritas Backup Exec contains a privilege escalation vulnerability due to the use of an `OPENSSLDIR` variable that specifies a location where an unprivileged Windows user can create files. ### Description **CVE-2019-1552** Veritas Backup Exec includes an OpenSSL component that specifies an `OPENSSLDIR` variable as `/usr/local/ssl/`. On the Windows platform, this path is interpreted as `C:\usr\local\ssl`. Backup Exec contains a privileged service that uses this OpenSSL component. Because unprivileged Windows users can create subdirectories off of the system root, a user can create the appropriate path to a specially-crafted `openssl.cnf` file to achieve arbitrary code execution with SYSTEM privileges. ### Impact By placing a specially-crafted `openssl.cnf` in the `C:\usr\local\ssl` directory, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable Veritas software installed. ### Solution #### Apply an update This vulnerability is [addressed](https://www.veritas.com/content/support/en_US/security/VTS20-010) in Backup Exec 21.1 [Hotfix 657517](https://www.veritas.com/content/support/en_US/downloads/update.UPD657517) (Engineering version 21.0.1200.1217) and Backup Exec 20.6 [Hotfix 298543](https://www.veritas.com/content/support/en_US/downloads/update.UPD298543) (Engineering version 20.0.1188.2734). #### Create a C:\usr\local\ssl directory In cases where an update cannot be installed, this vulnerability can be mitigated by creating a `C:\usr\local\ssl` directory and restricting ACLs to prevent unprivileged users from being able to write to this location. ### Acknowledgements This vulnerability was reported by Will Dormann of the CERT/CC. This document was written by Will Dormann.

Browse GCVE Records

73,734 records in the GCVE database · Updated July 18, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›