Security News > 2020 > October > Acronis Patches Privilege Escalation Flaws in Backup, Security Solutions
Acronis has released patches for its True Image, Cyber Backup, and Cyber Protect products to address vulnerabilities that could lead to elevation of privileges.
Tracked as CVE-2020-10138, the first of the bugs affects Acronis Cyber Backup 12.5 and Cyber Protect 15 and resides in a privileged service that uses "An OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory within C:jenkins agent."
The second flaw, CVE-2020-10139, was found in Acronis True Image 2021 and is similar to CVE-2020-10138: an unprivileged user can abuse the privileged service to execute a specially-crafted openssl.
Identified in Acronis True Image 2021 and tracked as CVE-2020-10140, the third vulnerability exists because the backup software fails to properly set access control lists for the C:ProgramDataAcronis directory.
Acronis True Image 2021 build 32010, Acronis Cyber Backup 12.5 build 16363, and Acronis Cyber Protect 15 build 24600 were released in early October 2020 with patches for these vulnerabilities.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-10-21 | CVE-2020-10138 | Improper Initialization vulnerability in Acronis Cyber Backup and Cyber Protect Acronis Cyber Backup 12.5 and Cyber Protect 15 include an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory within C:\jenkins_agent\. | 7.2 |
| 2020-10-21 | CVE-2020-10139 | Improper Initialization vulnerability in Acronis True Image 2021 Acronis True Image 2021 includes an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory within C:\jenkins_agent\. | 7.2 |
| 2020-10-21 | CVE-2020-10140 | Incorrect Permission Assignment for Critical Resource vulnerability in Acronis True Image 2021 Acronis True Image 2021 fails to properly set ACLs of the C:\ProgramData\Acronis directory. | 6.9 |