Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Acronis Patches Privilege Escalation Flaws in Backup, Security Solutions

Acronis has released patches for its True Image, Cyber Backup, and Cyber Protect products to address vulnerabilities that could lead to elevation of privileges.

The flaws could allow unprivileged Windows users to run code with SYSTEM privileges, a vulnerability note from the CERT Coordination Center (CERT/CC) reveals.

Acronis has released patches for its True Image, Cyber Backup, and Cyber Protect products to address vulnerabilities that could lead to elevation of privileges.

The flaws could allow unprivileged Windows users to run code with SYSTEM privileges, a vulnerability note from the CERT Coordination Center (CERT/CC) reveals.

Tracked as CVE-2020-10138 (CVSS score 8.1), the first of the bugs affects Acronis Cyber Backup 12.5 and Cyber Protect 15 and resides in a privileged service that uses “an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory within C:jenkins_agent.

Given that unprivileged Windows users are able to create subdirectories off of the system root, it is possible for a user to create the appropriate path to an openssl.cnf file that would allow them to run arbitrary code with SYSTEM privileges.

The second flaw, CVE-2020-10139 (CVSS score 8.1), was found in Acronis True Image 2021 and is similar to CVE-2020-10138: an unprivileged user can abuse the privileged service to execute a specially-crafted openssl.cnf file with SYSTEM privileges.

Identified in Acronis True Image 2021 and tracked as CVE-2020-10140 (CVSS score 8.7), the third vulnerability exists because the backup software fails to properly set access control lists (ACLs) for the C:ProgramDataAcronis directory.

Thus, an unprivileged user could place a DLL in one of the multiple paths within that directory and achieve arbitrary code execution through privileged processes that are executed from C:ProgramDataAcronis, the CERT/CC note reveals.

“By placing a specially-crafted openssl.cnf or DLL file in a specific location, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable Acronis software installed. See DLL Search Order Hijacking for more details,” CERT/CC explains.

Acronis True Image 2021 build 32010, Acronis Cyber Backup 12.5 build 16363, and Acronis Cyber Protect 15 build 24600 were released in early October 2020 with patches for these vulnerabilities.

Related: Google Patches Privilege Escalation Vulnerability in Cloud Service

Related: Microsoft Patches Code Execution, Privilege Escalation Flaws in Azure Sphere

Related: Intel Patches Many Privilege Escalation Vulnerabilities in Server Boards

Related: Windows Vulnerabilities Exploited for Code Execution, Privilege Escalation

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Vulnerabilities

GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet