How to mitigate OpenSSL vulnerability CVE-2020-36164 on an Enterprise Vault SMTP server

Description

Veritas advisory VTS20-013 was released giving details on how CVE-2020-36164 affected Enterprise Vault (EV) servers.  If a server has the EV SMTP service installed, a mitigation is required for versions prior to 12.5.3 and 14.0.1.

Determine EV installation drive

Determine the Enterprise Vault installation drive. This is the drive containing the EV installation folder where the application binaries reside.

For our example, EV is installed on the D: drive.

Determine Windows system drive

Determine the Windows system drive. This is the drive where Windows is installed.  Typically Windows is installed to c:\Windows

For our example, Windows is installed on the C: drive

Create folders

For each distinct drive identified above, create the following folder if it does not exist:

[drive:]\Isode\etc\ssl

In our example, we have 2 drives that need the path: c: and d:, so we create:

d:\Isode\etc\ssl
c:\Isode\etc\ssl

Set Permissions on folders

Now we need to restrict permissions on each of the ssl folders from the previous step. One way to do this is with Windows Explorer.  Right click the ssl folder and select properties and select the Security tab.  Then select the advanced button and a windows similar to this will appear:

Select Disable inheritance and remove all inheritable permissions when prompted:

 Then add Full control - Allow entries for the following accounts using the Add button:

1) The Vault Service account or other local administrator account
2) SYSTEM
3) The local administrators group

The first step when adding entries is to use the Select a principal dialog, to find the accounts needed. 

Entries should look similar to:

When done it will look similar to:

Then apply the changes.