Security News > 2020 > October > Acronis Patches Privilege Escalation Flaws in Backup, Security Solutions

Acronis Patches Privilege Escalation Flaws in Backup, Security Solutions
2020-10-13 13:57

Acronis has released patches for its True Image, Cyber Backup, and Cyber Protect products to address vulnerabilities that could lead to elevation of privileges.

Tracked as CVE-2020-10138, the first of the bugs affects Acronis Cyber Backup 12.5 and Cyber Protect 15 and resides in a privileged service that uses "An OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory within C:jenkins agent."

The second flaw, CVE-2020-10139, was found in Acronis True Image 2021 and is similar to CVE-2020-10138: an unprivileged user can abuse the privileged service to execute a specially-crafted openssl.

Identified in Acronis True Image 2021 and tracked as CVE-2020-10140, the third vulnerability exists because the backup software fails to properly set access control lists for the C:ProgramDataAcronis directory.

Acronis True Image 2021 build 32010, Acronis Cyber Backup 12.5 build 16363, and Acronis Cyber Protect 15 build 24600 were released in early October 2020 with patches for these vulnerabilities.


News URL

http://feedproxy.google.com/~r/Securityweek/~3/TDeNoqmmGPU/acronis-patches-privilege-escalation-flaws-backup-security-solutions

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2020-10-21 CVE-2020-10138 Improper Initialization vulnerability in Acronis Cyber Backup and Cyber Protect
Acronis Cyber Backup 12.5 and Cyber Protect 15 include an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory within C:\jenkins_agent\.
local
low complexity
acronis CWE-665
7.8
2020-10-21 CVE-2020-10139 Improper Initialization vulnerability in Acronis True Image 2021
Acronis True Image 2021 includes an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory within C:\jenkins_agent\.
local
low complexity
acronis CWE-665
7.8
2020-10-21 CVE-2020-10140 Incorrect Permission Assignment for Critical Resource vulnerability in Acronis True Image 2021
Acronis True Image 2021 fails to properly set ACLs of the C:\ProgramData\Acronis directory.
local
low complexity
acronis CWE-732
7.3

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Acronis 14 0 39 83 7 129