Acronis has published a total of twelve security reports regarding vulnerabilities in several products. They describe security leaks, some of which have had updated software available to seal them for a long time. Users should check whether the products used are already up to date.
Of the twelve security reports, four address vulnerabilities that are classified as high risk, seven deal with vulnerabilities of medium threat level and one report deals with a security-related vulnerability that is classified as low risk.
Acronis: High-risk gaps
The most serious gap is closed by the Windows versions Acronis Cyber Protect 15 Update 6, Cyber Protect Home Office Build 40278 and the Agent Update C23.02, which have now been available for three to seven months. This and newer versions seal a leak due to insecure privileges of a driver communication port that allows attackers to escalate their privileges (CVE-2023-41743, CVSS 8.8, risk “high”). Due to insufficient filtering of submitted data, malicious actors are able to inject commands into Acronis Cloud Manager for Windows before build 6.2.23089.203 (CVE-2023-41746, CVSS 8.0, high).
The privileges in the system were also expanded because Acronis Cybver Protect 15 before Update 6 and the Agent before 22.10 each loaded unsigned libraries under macOS, which allowed attackers to inject their own code with higher privileges (CVE-2023-41744, CVSS 7.8, high). During installation, Cyber Protect Home Office for Windows before build 40278 handled soft links incorrectly, which also made it possible to escalate rights in the system (CVE-2022-46869, CVSS 7.3, high).
The developers have closed other less risky vulnerabilities with the versions Acronis Cyber Protect 15 for Linux, macOS and Windows) Build 35979 and Acronis Agent for Linux, macOS and Windows) Build 35433. Acronis users should no longer install older versions, but should ideally update them to the currently available software versions.
The list of security vulnerabilities:
Local privilege escalation due to insecure driver communication port permissions (CVE-2023-41743, CVSS 8.8, hoch)
Remote command execution due to improper input validation (CVE-2023-41748, CVSS 8.0, hoch)
Local privilege escalation due to unrestricted loading of unsigned libraries (CVE-2023-41744, CVSS 7.8, hoch)
Local privilege escalation during installation due to improper soft link handling (CVE-2022-46869, CVSS 7.3, hoch)
Local privilege escalation during recovery due to improper soft link handling (CVE-2022-46868, CVSS 6.7, mittel)
Sensitive information disclosure due to improper input validation (CVE-2023-41747, CVSS 6.5, mittel)
Sensitive information disclosure due to improper token expiration validation (CVE-2023-41751, CVSS 6.3, mittel)
Sensitive information disclosure due to excessive collection of system information (CVE-2023-41745, CVSS 6.1, mittel)
Sensitive information leak through log files (CVE-2023-4688, CVSS 4.4, mittel)
Sensitive information disclosure due to excessive collection of system information (CVE-2023-41749, CVSS 4.4, mittel)
Excessive attack surface due to binding to an unrestricted IP address (CVE-2023-41742, CVSS 4.3, mittel)
Sensitive information disclosure due to missing authorization (CVE-2023-41750, CVSS 3.3, niedrig)
Anyone using older versions of the software should immediately download and install the updated versions available.
A vulnerability in Acronis True Image 2021 was most recently noticed in February. This allowed attackers to expand their rights in the system, which the manufacturer classified as partly high and partly as medium risk.
To the home page
#Acronis #Updates #patch #security #leaks #products