CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
10.4%
Acronis True Image, Cyber Backup, and Cyber Protection all contain privilege escalation vulnerabilities, which can allow an unprivileged Windows user to be able to run arbitrary code with SYSTEM privileges.
CVE-2020-10138
Acronis Cyber Backup 12.5 and Cyber Protect 15 include an OpenSSL component that specifies an OPENSSLDIR
variable as a subdirectory within C:\jenkins_agent\
. Acronis Cyber Backup and Cyber Protect contain a privileged service that uses this OpenSSL component. Because unprivileged Windows users can create subdirectories off of the system root, a user can create the appropriate path to a specially-crafted openssl.cnf
file to achieve arbitrary code execution with SYSTEM privileges.
CVE-2020-10139
Acronis True Image 2021 includes an OpenSSL component that specifies an OPENSSLDIR
variable as a subdirectory within C:\jenkins_agent\
. Acronis True Image contains a privileged service that uses this OpenSSL component. Because unprivileged Windows users can create subdirectories off of the system root, a user can create the appropriate path to a specially-crafted openssl.cnf
file to achieve arbitrary code execution with SYSTEM privileges.
CVE-2020-10140
Acronis True Image 2021 fails to properly set ACLs of the C:\ProgramData\Acronis
directory. Because some privileged processes are executed from the C:\ProgramData\Acronis
directory, an unprivileged user can achieve arbitrary code execution with SYSTEM privileges by placing a DLL in one of several paths within C:\ProgramData\Acronis
.
By placing a specially-crafted openssl.cnf
or DLL file in a specific location, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable Acronis software installed. See DLL Search Order Hijacking for more details.
These vulnerabilities are addressed in Acronis True Image 2021 build 32010 (release notes), Acronis Cyber Backup 12.5 build 16363 (release notes), and Acronis Cyber Protect 15 build 24600 (release notes).
This vulnerability was reported by Will Dormann of the CERT/CC. Acronis also credits HackerOne researchers @adr, @mmg, @vanitas, @xnand with independently discovering and reporting the vulnerabilities.
This document was written by Will Dormann.
114757
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Notified: 2020-09-14 Updated: 2020-10-12 CVE-2020-10138 | Affected |
---|---|
CVE-2020-10139 | Affected CVE-2020-10140 |
We have not received a statement from the vendor.
CVE IDs: | CVE-2020-10138 CVE-2020-10139 CVE-2020-10140 |
---|---|
Date Public: | 2020-10-12 Date First Published: |
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
10.4%