Acronis has released patches for its True Image, Cyber Backup, and Cyber Protect products to address vulnerabilities that could lead to elevation of privileges.
The flaws could allow unprivileged Windows users to run code with SYSTEM privileges, a vulnerability note from the CERT Coordination Center (CERT/CC) reveals.
Tracked as CVE-2020-10138 (CVSS score 8.1), the first of the bugs affects Acronis Cyber Backup 12.5 and Cyber Protect 15 and resides in a privileged service that uses “an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory within C:jenkins_agent.”
Given that unprivileged Windows users are able to create subdirectories off of the system root, it is possible for a user to create the appropriate path to an openssl.cnf file that would allow them to run arbitrary code with SYSTEM privileges.
The second flaw, CVE-2020-10139 (CVSS score 8.1), was found in Acronis True Image 2021 and is similar to CVE-2020-10138: an unprivileged user can abuse the privileged service to execute a specially-crafted openssl.cnf file with SYSTEM privileges.
Identified in Acronis True Image 2021 and tracked as CVE-2020-10140 (CVSS score 8.7), the third vulnerability exists because the backup software fails to properly set access control lists (ACLs) for the C:ProgramDataAcronis directory.
Thus, an unprivileged user could place a DLL in one of the multiple paths within that directory and achieve arbitrary code execution through privileged processes that are executed from C:ProgramDataAcronis, the CERT/CC note reveals.
“By placing a specially-crafted openssl.cnf or DLL file in a specific location, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable Acronis software installed. See DLL Search Order Hijacking for more details,” CERT/CC explains.