{"vuid":"VU#114757","idnumber":"114757","name":"Acronis backup software contains multiple privilege escalation vulnerabilities","keywords":null,"overview":"### Overview\r\n\r\nAcronis True Image, Cyber Backup, and Cyber Protection all contain privilege escalation vulnerabilities, which can allow an unprivileged Windows user to be able to run arbitrary code with SYSTEM privileges.\r\n\r\n### Description\r\n\r\n**CVE-2020-10138**\r\n\r\nAcronis Cyber Backup 12.5 and Cyber Protect 15 include an OpenSSL component that specifies an `OPENSSLDIR` variable as a subdirectory within `C:\\jenkins_agent\\`. Acronis Cyber Backup and Cyber Protect contain a privileged service that uses this OpenSSL component. Because unprivileged Windows users can create subdirectories off of the system root, a user can create the appropriate path to a specially-crafted `openssl.cnf` file to achieve arbitrary code execution with SYSTEM privileges.\r\n\r\n**CVE-2020-10139**\r\n\r\nAcronis True Image 2021 includes an OpenSSL component that specifies an `OPENSSLDIR` variable as a subdirectory within `C:\\jenkins_agent\\`. Acronis True Image contains a privileged service that uses this OpenSSL component. Because unprivileged Windows users can create subdirectories off of the system root, a user can create the appropriate path to a specially-crafted `openssl.cnf` file to achieve arbitrary code execution with SYSTEM privileges.\r\n\r\n**CVE-2020-10140**\r\n\r\nAcronis True Image 2021 fails to properly set ACLs of the `C:\\ProgramData\\Acronis` directory. Because some privileged processes are executed from the `C:\\ProgramData\\Acronis` directory, an unprivileged user can achieve arbitrary code execution with SYSTEM privileges by placing a DLL in one of several paths within `C:\\ProgramData\\Acronis`.\r\n\r\n### Impact\r\nBy placing a specially-crafted `openssl.cnf` or DLL file in a specific location, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable Acronis software installed. See [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001/) for more details.\r\n\r\n### Solution\r\n#### Apply an update\r\nThese vulnerabilities are addressed in Acronis True Image 2021 build 32010 ([release notes](https://www.acronis.com/en-us/support/updates/changes.html?p=42226)), Acronis Cyber Backup 12.5 build 16363 ([release notes](https://dl.managed-protection.com/u/backup/rn/12.5/user/en-US/AcronisBackup12.5_relnotes.htm)), and Acronis Cyber Protect 15 build 24600 ([release notes](https://dl.managed-protection.com/u/cyberprotect/rn/15/user/en-US/AcronisCyberProtect15_relnotes.htm)).\r\n\r\n### Acknowledgements\r\nThis vulnerability was reported by Will Dormann of the CERT/CC. Acronis also credits HackerOne researchers @adr, @mmg, @vanitas, @xnand with independently discovering and reporting the vulnerabilities.\r\n\r\nThis document was written by Will Dormann.","clean_desc":null,"impact":null,"resolution":null,"workarounds":null,"sysaffected":null,"thanks":null,"author":null,"public":["https://www.acronis.com/en-us/support/updates/changes.html?p=42226","https://dl.managed-protection.com/u/backup/rn/12.5/user/en-US/AcronisBackup12.5_relnotes.htm","https://dl.managed-protection.com/u/cyberprotect/rn/15/user/en-US/AcronisCyberProtect15_relnotes.htm","https://attack.mitre.org/techniques/T1574/001/"],"cveids":["CVE-2020-10140","CVE-2020-10139","CVE-2020-10138"],"certadvisory":null,"uscerttechnicalalert":null,"datecreated":"2020-10-12T20:14:37.480508Z","publicdate":"2020-10-12T20:14:37.265851Z","datefirstpublished":"2020-10-12T20:14:37.500512Z","dateupdated":"2020-10-12T21:40:42.850364Z","revision":4,"vrda_d1_directreport":null,"vrda_d1_population":null,"vrda_d1_impact":null,"cam_widelyknown":null,"cam_exploitation":null,"cam_internetinfrastructure":null,"cam_population":null,"cam_impact":null,"cam_easeofexploitation":null,"cam_attackeraccessrequired":null,"cam_scorecurrent":null,"cam_scorecurrentwidelyknown":null,"cam_scorecurrentwidelyknownexploited":null,"ipprotocol":null,"cvss_accessvector":null,"cvss_accesscomplexity":null,"cvss_authentication":null,"cvss_confidentialityimpact":null,"cvss_integrityimpact":null,"cvss_availabilityimpact":null,"cvss_exploitablity":null,"cvss_remediationlevel":null,"cvss_reportconfidence":null,"cvss_collateraldamagepotential":null,"cvss_targetdistribution":null,"cvss_securityrequirementscr":null,"cvss_securityrequirementsir":null,"cvss_securityrequirementsar":null,"cvss_basescore":null,"cvss_basevector":null,"cvss_temporalscore":null,"cvss_environmentalscore":null,"cvss_environmentalvector":null,"metric":null,"vulnote":28}