| Title | Veritas Desktop and Laptop Option における脆弱性 |
|---|---|
| Summary | Veritas Desktop and Laptop Option (DLO) には、不特定の脆弱性が存在します。 |
| Possible impacts | 情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。 |
| Solution | ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。 |
| Publication Date | Dec. 23, 2020, midnight |
| Registration Date | Sept. 28, 2021, 2:20 p.m. |
| Last Update | Sept. 28, 2021, 2:20 p.m. |
| CVSS3.0 : 重要 | |
| Score | 8.8 |
|---|---|
| Vector | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
| CVSS2.0 : 危険 | |
| Score | 7.2 |
|---|---|
| Vector | AV:L/AC:L/Au:N/C:C/I:C/A:C |
| ベリタス |
| Desktop and Laptop Option 9.4 未満 |
| No | Changed Details | Date of change |
|---|---|---|
| 1 | [2021年09月28日] 掲載 |
Sept. 28, 2021, 2:20 p.m. |
| Summary | An issue was discovered in Veritas Desktop and Laptop Option (DLO) before 9.4. On start-up, it loads the OpenSSL library from /ReleaseX64/ssl. This library attempts to load the /ReleaseX64/ssl/openssl.cnf configuration file, which does not exist. By default, on Windows systems, users can create directories under C:\. A low privileged user can create a C:/ReleaseX64/ssl/openssl.cnf configuration file to load a malicious OpenSSL engine, resulting in arbitrary code execution as SYSTEM when the service starts. This gives the attacker administrator access on the system, allowing the attacker (by default) to access all data, access all installed applications, etc. This impacts DLO server and client installations. |
|---|---|
| Publication Date | Jan. 6, 2021, 10:15 a.m. |
| Registration Date | Jan. 26, 2021, 11:58 a.m. |
| Last Update | Nov. 21, 2024, 2:28 p.m. |
| Configuration1 | or higher | or less | more than | less than | |
| cpe:2.3:a:veritas:desktop_and_laptop_option:*:*:*:*:*:*:*:* | 9.4 | ||||
| execution environment | |||||
| 1 | cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* | ||||