Security Experts:

Acronis Patches Privilege Escalation Flaws in Backup, Security Solutions

Acronis has released patches for its True Image, Cyber Backup, and Cyber Protect products to address vulnerabilities that could lead to elevation of privileges.

The flaws could allow unprivileged Windows users to run code with SYSTEM privileges, a vulnerability note from the CERT Coordination Center (CERT/CC) reveals.

Tracked as CVE-2020-10138 (CVSS score 8.1), the first of the bugs affects Acronis Cyber Backup 12.5 and Cyber Protect 15 and resides in a privileged service that uses “an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory within C:\jenkins_agent\.

Given that unprivileged Windows users are able to create subdirectories off of the system root, it is possible for a user to create the appropriate path to an openssl.cnf file that would allow them to run arbitrary code with SYSTEM privileges.

The second flaw, CVE-2020-10139 (CVSS score 8.1), was found in Acronis True Image 2021 and is similar to CVE-2020-10138: an unprivileged user can abuse the privileged service to execute a specially-crafted openssl.cnf file with SYSTEM privileges.

Identified in Acronis True Image 2021 and tracked as CVE-2020-10140 (CVSS score 8.7), the third vulnerability exists because the backup software fails to properly set access control lists (ACLs) for the C:\ProgramData\Acronis directory.

Thus, an unprivileged user could place a DLL in one of the multiple paths within that directory and achieve arbitrary code execution through privileged processes that are executed from C:\ProgramData\Acronis, the CERT/CC note reveals.

“By placing a specially-crafted openssl.cnf or DLL file in a specific location, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable Acronis software installed. See DLL Search Order Hijacking for more details,” CERT/CC explains.

Acronis True Image 2021 build 32010, Acronis Cyber Backup 12.5 build 16363, and Acronis Cyber Protect 15 build 24600 were released in early October 2020 with patches for these vulnerabilities.

Related: Google Patches Privilege Escalation Vulnerability in Cloud Service

Related: Microsoft Patches Code Execution, Privilege Escalation Flaws in Azure Sphere

Related: Intel Patches Many Privilege Escalation Vulnerabilities in Server Boards

Related: Windows Vulnerabilities Exploited for Code Execution, Privilege Escalation

view counter