Overview
Macrium Reflect contains a privilege escalation vulnerability due to the use of an OPENSSLDIR variable that specifies a location where an unprivileged Windows user can create files.
Description
CVE-2020-10143
Macrium Reflect includes an OpenSSL component that specifies an OPENSSLDIR variable as C:openssl. Macrium Reflect contains a privileged service that uses this OpenSSL component. Because unprivileged Windows users can create subdirectories off of the system root, a user can create the appropriate path to a specially-crafted openssl.cnf file to achieve arbitrary code execution with SYSTEM privileges.
Impact
By placing a specially-crafted openssl.cnf in the C:openssl directory, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable Macrium software installed.
Solution
Apply an update
This vulnerability is addressed in Macrium Reflect v7.3.5281.
Acknowledgements
This vulnerability was reported by Will Dormann of the CERT/CC.
This document was written by Will Dormann.
Vendor Information
One or more vendors are listed for this advisory. Please reference the full report for more information.
References
https://updates.macrium.com/reflect/v7/v7.3.5281/details7.3.5281.htm
Other Information
CVE IDs:
CVE-2020-10143
Date Public:
2020-10-26
Date First Published:
2020-10-26
Date Last Updated:
2020-10-26 16:59 UTC
Document Revision:
1
760767 macrium reflect vulnerable privilege escalation openssldir location