4 Acronis backup software vulnerabilities allow ransomware to encrypt backups easily

Cybersecurity specialists have revealed the finding of multiple privilege escalation vulnerabilities in Acronis True Image, Cyber Backup, and Cyber Protection solutions that would allow unprivileged threat actors to execute arbitrary code on a vulnerable Windows system with SYSTEM privileges.

In total, 4 vulnerabilities were found that compromise these information backup services, which would even allow ransomware attacks to be deployed without victims being able to recover their information.

The first flaw, tracked as CVE-2020-10138, resides in Acronis Cyber Backup 12.5 and Cyber Protect 15, which include an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory in C:\jenkins_agent\.

An unprivileged Windows user could create out-of-root subdirectories, so a threat actor could create a specially designed openssl.cnf file path to deploy an arbitrary code execution attack with elevated privileges.

The second vulnerability, tracked as CVE-2020-10139, resides in Acronis True Image 2021, a solution that includes an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory in C:\jenkins_agent\.

Un privileged users can create subdirectories outside of root, so a threat actor could create a path to a specially designed openssl.cnf file and execute arbitrary code with SYSTEM privileges.

Finally, the experts reported the finding of CVE-2020-10140, a vulnerability that resides in Acronis True Image and is sourced because the solution does not properly configure acLS in the C:\ProgramData\Acronis directory.

Because some privileged processes are running from the C:\ProgramData\Acronis directory, an unprivileged user might deploy an arbitrary code execution attack with SYSTEM privileges by placing a DLL on one of several paths in C:\ProgramData\Acronis.

These flaws will be fixed in Acronis True Image 2021 build 32010, Acronis Cyber Backup 12.5 build 16363, and Acronis Cyber Protect 15 build 24600, so users of affected versions are advised to update as soon as possible.