Executive Summary
Summary | |
---|---|
Title | Acronis backup software contains multiple privilege escalation vulnerabilities |
Informations | |||
---|---|---|---|
Name | VU#114757 | First vendor Publication | 2020-10-12 |
Vendor | VU-CERT | Last vendor Modification | 2020-10-12 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | |||
---|---|---|---|
Overall CVSS Score | 7.8 | ||
Base Score | 7.8 | Environmental Score | 7.8 |
impact SubScore | 5.9 | Temporal Score | 7.8 |
Exploitabality Sub Score | 1.8 | ||
Attack Vector | Local | Attack Complexity | Low |
Privileges Required | Low | User Interaction | None |
Scope | Unchanged | Confidentiality Impact | High |
Integrity Impact | High | Availability Impact | High |
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:L/AC:L/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 7.2 | Attack Range | Local |
Cvss Impact Score | 10 | Attack Complexity | Low |
Cvss Expoit Score | 3.9 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
OverviewAcronis True Image, Cyber Backup, and Cyber Protection all contain privilege escalation vulnerabilities, which can allow an unprivileged Windows user to be able to run arbitrary code with SYSTEM privileges. DescriptionCVE-2020-10138 Acronis Cyber Backup 12.5 and Cyber Protect 15 include an OpenSSL component that specifies an CVE-2020-10139 Acronis True Image 2021 includes an OpenSSL component that specifies an CVE-2020-10140 Acronis True Image 2021 fails to properly set ACLs of the ImpactBy placing a specially-crafted SolutionApply an updateThese vulnerabilities are addressed in Acronis True Image 2021 build 32010 (release notes), Acronis Cyber Backup 12.5 build 16363 (release notes), and Acronis Cyber Protect 15 build 24600 (release notes). AcknowledgementsThis vulnerability was reported by Will Dormann of the CERT/CC. Acronis also credits HackerOne researchers @adr, @mmg, @vanitas, @xnand with independently discovering and reporting the vulnerabilities. This document was written by Will Dormann. |
Original Source
Url : https://kb.cert.org/vuls/id/114757 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
67 % | CWE-665 | Improper Initialization |
33 % | CWE-732 | Incorrect Permission Assignment for Critical Resource (CWE/SANS Top 25) |
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 1 | |
Application | 2 | |
Application | 1 |
Alert History
Date | Informations |
---|---|
2021-01-19 21:18:05 |
|
2020-10-13 00:17:33 |
|