Security News


 Vulnerability News SecurityWeek Feed
 
  • VU#567764: MySQL for Windows is vulnerable to privilege escalation due to OPENSSLDIR location


    Overview

    MySQL for Windows contains a privilege escalation vulnerability due to the use of an OPENSSLDIR variable that specifies a location where an unprivileged Windows user can create files.

    Description

    CVE-2021-2307

    MySQL includes an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory of /build_area/. On the Windows platform, this path is interpreted as C:\build_area. MySQL contains a privileged service that uses this OpenSSL component. Because unprivileged Windows users can create subdirectories off of the system root, a user can create the appropriate path to a specially-crafted openssl.cnf file to achieve arbitrary code execution with SYSTEM privileges.

    Impact

    By placing a specially-crafted openssl.cnf in a C:\build_area subdirectory, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable MySQL software installed.

    Solution

    Apply an update

    This vulnerability is addressed in the MySQL Windows installer version 8.0.24 and 5.7.34.

    Create a C:\build_area directory

    In cases where an update cannot be installed, this vulnerability can be mitigated by creating a C:\build_area directory and restricting ACLs to prevent unprivileged users from being able to write to this location.

    Acknowledgements

    This vulnerability was reported by Will Dormann of the CERT/CC.

    This document was written by Will Dormann.

  • VU#213092: Pulse Connect Secure contains multiple use-after-free vulnerabilities


    Overview

    Pulse Connect Secure (PCS) gateway contains multiple use-after-free vulnerabilities that can allow an unauthenticated remote attacker to execute arbitrary code.

    Description

    CVE-2021-22893

    Multiple use-after-free vulnerabilities that can be reached via license server CGI endpoints may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable Pulse Connect Secure gateway system. Note that a system does not need to be configured to have license server features enabled to be vulnerable. The vulnerable endpoints are present regardless of whether the system is an actual license server or not. Products affected by this vulnerability are PCS version 9.0R3 and higher.

    This vulnerability is being exploited in the wild.

    Impact

    By making a crafted request to a vulnerable Pulse Connect Secure system, an unauthenticated remote attacker may be able to execute arbitrary code on the gateway with root privileges.

    Pulse Secure has assigned this vulnerability a critical CVSS Score of 10.0 3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.

    Solution

    Apply an update

    This vulnerability is addressed in Pulse Connect Secure 9.1R11.4.

    Apply a workaround

    Pulse Secure has published a Workaround-2104.xml file that reportedly contains mitigations to protect against this vulnerability. Note that installing this workaround will block the ability to use the following features:

    • Windows File Share Browser
    • Pulse Secure Collaboration
    • License Server

    Instead of using the workaround to protect a PCS that is being used as a license server, we recommend updating such systems to PCS 9.1R11.4. If this is not possible, restrict which IP addresses are allowed to communicate with the sytem.

    Acknowledgements

    This vulnerability was publicly reported by Pulse Secure with additional details and context published by Fireye.

    This document was written by Chuck Yarbrough and Will Dormann.

  • VU#240785: Atlassian Bitbucket on Windows is vulnerable to privilege escalation due to weak ACLs


    Overview

    Atlassian Bitbucket on Windows fails to properly set ACLs, which can allow an unprivileged Windows user to run arbitrary code with SYSTEM privileges.

    Description

    The Atlassian Bitbucket Windows installer fails to set a secure access-control list (ACL) on the default installation directory, such as C:\Atlassian\Bitbucket\. By default, unprivileged users can create files in this directory structure, which creates a privilege-escalation vulnerability.

    Impact

    By placing a specially-crafted DLL file in the Bitbucket installation directory, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable Bitbucket software installed. See DLL Search Order Hijacking for more details.

    Solution

    Apply an update

    This issue has been addressed in the Bitbucket Windows installer for versions 7.10.1, 7.6.4, and 6.10.9. Please see https://jira.atlassian.com/browse/BSERV-12753 for more details.

    Acknowledgements

    This vulnerability was reported by Will Dormann of the CERT/CC.

    This document was written by Will Dormann.

  • VU#466044: Siemens Totally Integrated Automation Portal vulnerable to privilege escalation due to Node.js paths


    Overview

    Siemens Totally Integrated Administrator (TIA) fails to properly set the module search path to be used by a privileged Node.js component, which can allow an unprivileged Windows user to run arbitrary code with SYSTEM privileges. The PCS neo administration console is reported to be affected as well.

    Description

    Siemens TIA runs a privileged Node.js component. The Node.js server fails to properly set the module search path. Because of this, Node.js will look for modules in the C:\node_modules\ directory when the server is started. Because unprivileged Windows users can create subdirectories off of the system root, a user can create this directory and place a specially-crafted .js file in it to achieve arbitrary code execution with SYSTEM privileges when the server starts.

    Impact

    By placing a specially-crafted JS file in the C:\node_modules\ directory, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable Siemens TIA or PCS neo administration console software installed.

    Solution

    Apply an update

    This issue is addressed in TIA Administrator V1.0 SP2 Upd2. PCS neo administration console users should apply the mitigations described in Industrial Security in SIMATIC PCS neo.

    For more details see Siemens Security Advisory SSA-428051.

    Acknowledgements

    This vulnerability was reported by Will Dormann of the CERT/CC.

    This document was written by Will Dormann.

  • VU#794544: Sudo set_cmd() is vulnerable to heap-based buffer overflow


    Overview

    A heap-based overflow has been discovered in the set_cmd() function in sudo, which may allow a local attacker to execute commands with elevated administrator privileges.

    Description

    From the Sudo Main Page:

    Sudo (su "do") allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.

    It is possible for a local Non-administrative user to exploit this vulnerability to elevate their privileges so that they can execute commands with administrator privileges. The team at Qualys assigned this vulnerability CVE-2021-3156 and found multiple *nix operating systems were vulnerable, including Fedora, Debian, and Ubuntu. A blog update from February 3, 2021, reports that macOS, AIX, and Solaris may be vulnerable, but Qualys had not yet confirmed this. There is additional reporting that other operating systems are affected, including Apple’s Big Sur.

    Impact

    If an attacker has local access to an affected machine then it is possible for them to execute commands with administrator privileges.

    Solution

    Apply an Update

    Update sudo to the latest version to address this vulnerability when operationally feasible. This issue is resolved in sudo version 1.9.5p2. Please install this version, or a version from your distribution that has the fix applied to it

    Acknowledgements

    This vulnerability was researched and reported by the Qualys Research Team.

    This document was written by Timur Snoke.

  • VU#125331: Adobe ColdFusion is vulnerable to privilege escalation due to weak ACLs


    Overview

    Adobe ColdFusion fails to properly set ACLs, which can allow an unprivileged Windows user to be able to run arbitrary code with SYSTEM privileges.

    Description

    The Adobe ColdFusion installer fails to set a secure access-control list (ACL) on the default installation directory, such as C:\ColdFusion2021\. By default, unprivileged users can create files in this directory structure, which creates a privilege-escalation vulnerability.

    Impact

    By placing a specially-crafted DLL file in the ColdFusion installation directory, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable ColdFusion software installed. See DLL Search Order Hijacking for more details.

    Solution

    Use the Server Auto-Lockdown Installer

    By default, ColdFusion does not configure itself securely. In order to secure ColdFusion with respect to service privileges, ACLs, and other attributes, the ColdFusion Server Auto-Lockdown installer must be installed in addition to installing ColdFusion itself.

    Mitigation steps will vary based on the version of ColdFusion being used:
    ColdFusion 2016: Apply the changes outlined in the ColdFusion 2016 Lockdown Guide.
    ColdFusion 2018: Run the ColdFusion 2018 Auto-Lockdown installer and ensure that it completes without error.
    ColdFusion 2021: Run the ColdFusion 2021 Auto-Lockdown installer and ensure that it completes without error.

    Acknowledgements

    This vulnerability was reported by Will Dormann of the CERT/CC.

    This document was written by Will Dormann.

  • VU#434904: Dnsmasq is vulnerable to memory corruption and cache poisoning


    Overview

    Dnsmasq is vulnerable to a set of memory corruption issues handling DNSSEC data and a second set of issues validating DNS responses. These vulnerabilities could allow an attacker to corrupt memory on a vulnerable system and perform cache poisoning attacks against a vulnerable environment.

    These vulnerabilities are also tracked as ICS-VU-668462 and referred to as DNSpooq.

    Description

    Dnsmasq is widely used open-source software that provides DNS forwarding and caching (and also a DHCP server). Dnsmasq is common in Internet-of-Things (IoT) and other embedded devices.

    JSOF reported multiple memory corruption vulnerabilities in dnsmasq due to boundary checking errors in DNSSEC handling code.

    • CVE-2020-25681: A heap-based buffer overflow in dnsmasq in the way it sorts RRSets before validating them with DNSSEC data in an unsolicited DNS response
    • CVE-2020-25682: A buffer overflow vulnerability in the way dnsmasq extract names from DNS packets before validating them with DNSSEC data
    • CVE-2020-25683: A heap-based buffer overflow in get_rdata subroutine of dnsmasq, when DNSSEC is enabled and before it validates the received DNS entries
    • CVE-2020-25687: A heap-based buffer overflow in sort_rrset subroutine of dnsmasq, when DNSSEC is enabled and before it validates the received DNS entries

    JSOF also reported vulnerabilities in DNS response validation that can result in DNS cache poisoning.

    • CVE-2020-25684: Dnsmasq does not validate the combination of address/port and the query-id fields of DNS request when accepting DNS responses
    • CVE-2020-25685: Dnsmasq uses a weak hashing algorithm (CRC32) when compiled without DNSSEC to validate DNS responses
    • CVE-2020-25686: Dnsmasq does not check for an existing pending request for the same name and forwards a new request thus allowing an attacker to perform a "Birthday Attack" scenario to forge replies and potentially poison the DNS cache

    Note: These cache poisoning scenarios and defenses are discussed in IETF RFC5452.

    Impact

    The memory corruption vulnerabilities can be triggered by a remote attacker using crafted DNS responses that can lead to denial of service, information exposure, and potentially remote code execution. The DNS response validation vulnerabilities allow an attacker to use unsolicited DNS responses to poison the DNS cache and redirect users to arbitrary sites.

    Solution

    Apply updates

    These vulnerabilities are addressed in dnsmasq 2.83. Users of IoT and embedded devices that use dnsmasq should contact their vendors.

    Follow security best-practices

    Consider the following security best-practices to protect DNS infrastructure:

    • Protect your DNS clients using stateful-inspection firewall that provide DNS security (e.g., stateful firewalls and NAT devices can block unsolicited DNS responses, DNS application layer inspection can prevent forwarding of anomalous DNS packets).
    • Provide secure DNS recursion service with features such as DNSSEC validation and the interim 0x20-bit encoding as part of enterprise DNS services where applicable.
    • Prevent exposure of IoT devices and lightweight devices directly over the Internet to minimize abuse of DNS.
    • Implement a Secure By Default configuration suitable for your operating environment (e.g., disable caching on embedded IoT devices when an upstream caching resolver is available).

    Acknowledgements

    Moshe Kol and Shlomi Oberman of JSOF researched and reported these vulnerabilities. Simon Kelley (author of dnsmasq) worked closely with collaborative vendors (Cisco, Google, Pi-Hole, Redhat) to develop patches to address these security vulnerabilities. GitHub also supported these collaboration efforts providing support to use their GitHub Security Advisory platform for collaboration.

    This document was written by Vijay Sarvepalli.

  • VU#843464: SolarWinds Orion API authentication bypass allows remote command execution


    Overview

    The SolarWinds Orion API is vulnerable to authentication bypass that could allow a remote attacker to execute API commands.

    Description

    The SolarWinds Orion Platform is a suite of infrastructure and system monitoring and management products. The SolarWinds Orion API is embedded into the Orion Core and is used to interface with all SolarWinds Orion Platform products. API authentication can be bypassed by including specific parameters in the Request.PathInfo portion of a URI request, which could allow an attacker to execute unauthenticated API commands. In particular, if an attacker appends a PathInfo parameter of WebResource.axd, ScriptResource.axd, i18n.ashx, or Skipi18n to a request to a SolarWinds Orion server, SolarWinds may set the SkipAuthorization flag, which may allow the API request to be processed without requiring authentication.

    This vulnerability, also known as CVE-2020-10148, is the vulnerability that SolarWinds has indicated to have been used to install the malware known as SUPERNOVA.

    We have created a python3 script to check for vulnerable SolarWinds Orion servers: swcheck.py

    Impact

    This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance.

    Solution

    Apply an Update

    Users should update to the relevant versions of the SolarWinds Orion Platform:

    • 2019.4 HF 6 (released December 14, 2020)
    • 2020.2.1 HF 2 (released December 15, 2020)
    • 2019.2 SUPERNOVA Patch (released December 23, 2020)
    • 2018.4 SUPERNOVA Patch (released December 23, 2020)
    • 2018.2 SUPERNOVA Patch (released December 23, 2020)

    More information can be found in the SolarWinds Security Advisory.

    Harden the IIS Server

    Especially in cases when updates cannot be installed, we recommend that users implement these mitigations to harden the IIS server.

    Acknowledgements

    This document was written by Madison Oliver and Will Dormann.

  • VU#429301: Veritas Backup Exec is vulnerable to privilege escalation due to OPENSSLDIR location


    Overview

    Veritas Backup Exec contains a privilege escalation vulnerability due to the use of an OPENSSLDIR variable that specifies a location where an unprivileged Windows user can create files.

    Description

    CVE-2019-1552

    Veritas Backup Exec includes an OpenSSL component that specifies an OPENSSLDIR variable as /usr/local/ssl/. On the Windows platform, this path is interpreted as C:\usr\local\ssl. Backup Exec contains a privileged service that uses this OpenSSL component. Because unprivileged Windows users can create subdirectories off of the system root, a user can create the appropriate path to a specially-crafted openssl.cnf file to achieve arbitrary code execution with SYSTEM privileges.

    Impact

    By placing a specially-crafted openssl.cnf in the C:\usr\local\ssl directory, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable Veritas software installed.

    Solution

    Apply an update

    This vulnerability is addressed in Backup Exec 21.1 Hotfix 657517 (Engineering version 21.0.1200.1217) and Backup Exec 20.6 Hotfix 298543 (Engineering version 20.0.1188.2734).

    Create a C:\usr\local\ssl directory

    In cases where an update cannot be installed, this vulnerability can be mitigated by creating a C:\usr\local\ssl directory and restricting ACLs to prevent unprivileged users from being able to write to this location.

    Acknowledgements

    This vulnerability was reported by Will Dormann of the CERT/CC.

    This document was written by Will Dormann.

  • VU#815128: Embedded TCP/IP stacks have memory corruption vulnerabilities


    Overview

    Multiple open-source embedded TCP/IP stacks, commonly used in Internet of Things (IoT) and embedded devices, have several vulnerabilities stemming from improper memory management. These vulnerabilities are also tracked as ICS-VU-633937 and JVNVU#96491057 as well as the name AMNESIA:33.

    Description

    Embedded TCP/IP stacks provide essential network communication capability using TCP/IP networking to many lightweight operating systems adopted by IoT and other embedded devices. These software stacks can also be used in the latest technologies such as Edge Computing. The following embedded TCP/IP stacks were discovered to have 33 memory related vulnerabilities included in this advisory:

    These networking software stacks can be integrated in various ways, including compiled from source, modified and integrated, and linked as a dynamic or static libraries, allowing for a wide variety of implementations. As an example, projects such as Apache Nuttx and open-iscsi have adopted common libraries and software modules, thus inheriting some of these vulnerabilities with varying levels of impact. The diversity of implementations and the lack of supply chain visibility has made it difficult to accurately assess the impact, usage as well as the potential exploitability of these vulnerabilities.

    In general, most of these vulnerabilities are caused by memory management bugs, commonly seen in lightweight software implementations in Real Time Operating Systems (RTOS) and IoT devices. For specific details on these vulnerabilities, see the Forescout advisory that provides technical details. Due to the lack of visibility of these software usage, Forescout has released an open source version of Detector that can be used to identify potentially vulnerable software.

    Impact

    The impact of these vulnerabilities vary widely due to the combination of build and runtime options customized while including these in embedded devices. In summary, a remote, unauthenticated attacker may be able to use specially-crafted network packets to cause the vulnerable device to behave in unexpected ways such as a failure (denial of service), disclosure of private information, or execution of arbitrary code.

    Solution

    Apply updates

    Update to the latest stable version of the affected embedded TCP/IP software that address these recently disclosed vulnerabilities. If you have adopted this software from an upstream provider, contact the provider to get appropriate updates that need to be integrated into your software. Concerned end-users of IoT and embedded devices that implement these vulnerable TCP/IP software stacks should contact their vendor or the closest reseller to obtain appropriate updates.

    Follow best-practices

    We recommend that you follow best practices when connecting IoT or embedded devices to a network:

    • Avoid exposure of IoT and embedded devices directly over the Internet and use a segmented network zone when available.
    • Enable security features such as deep-packet inspection and firewall anomaly detection when available to protect embedded and IoT devices.
    • Ensure secure defaults are adopted and disable unused features and services on your embedded devices.
    • Regularly update firmware to the vendor provided latest stable version to ensure your device is up to date.

    Acknowledgements

    Jos Wetzels, Stanislav Dashevskyi, Amine Amri and Daniel dos Santos of Forescout Technologies researched and reported these vulnerabilities.

    This document was written by Vijay Sarvepalli.

  • VU#724367: VMware Workspace ONE Access and related components are vulnerable to command injection


    Overview

    VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector are vulnerable to command injection in the administrative configurator. This could allow a remote attacker to execute commands with unrestricted privileges on the underlying operating system.

    Description

    VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector are vulnerable to command injection in the administrative configurator. This could allow a remote attacker with access to the administrative configurator on port 8443 and a valid password to execute commands with unrestricted privileges on the underlying operating system. For additional details, please see VMSA-2020-0027 and CVE-2020-4006.

    Impact

    This could allow a malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account to execute commands with unrestricted privileges on the underlying operating system.

    Active exploitation of this vulnerability has been reported.

    Solution

    VMware has released updates as described in VMSA-2020-0027.

    Workarounds

    VMware has documented workarounds in VMSA-2020-0027.

    Acknowledgements

    Thanks to VMware for coordinating this vulnerability.

    This document was written by Madison Oliver.

  • VU#231329: Replay Protected Memory Block (RPMB) protocol does not adequately defend against replay attacks


    Overview

    The Replay Protected Memory Block (RPMB) protocol found in several storage specifications does not securely protect against replay attacks. An attacker with physical access can deceive a trusted component about the status of an RPBM write command or the content of an RPMB area.

    Description

    The RPMB protocol "...enables a device to store data in a small, specific area that is authenticated and protected against replay attack." RPMB is most commonly found in mobile phones and tablets using flash storage technology such as eMMC, UFS, and NVMe. The RPMB protocol allows an attacker to replay stale write failure messages and write commands, leading to state confusion between a trusted component and the contents of an RPMB area. Additional details are available in Replay Attack Vulnerabilities in RPMB Protocol Applications.

    Impact

    An attacker with physical access to a device can cause a mismatch between the write state or contents of the RPMB area and a trusted component of the device. These mismatches can lead to the trusted component believing a write command failed when in fact it succeeded, or the trusted component believing that certain content was written when in fact different content (unmodified by the attacker) was written. Further implications depend on the specific device and use of RPMB. At least one affected vendor has confirmed that denial of service

    Solution

    Please see the Vendor Information section below. Further vendor information is available in Replay Attack Vulnerabilities in RPMB Protocol Applications.

    Acknowledgements

    Rotem Sela and Brian Mastenbrook of Western Digital identified this vulnerability. Western Digital coordinated its disclosure with the affected vendors. Thanks Western Digital PSIRT!

    This document was written by Eric Hatleback.

  • VU#760767: Macrium Reflect is vulnerable to privilege escalation due to OPENSSLDIR location


    Overview

    Macrium Reflect contains a privilege escalation vulnerability due to the use of an OPENSSLDIR variable that specifies a location where an unprivileged Windows user can create files.

    Description

    CVE-2020-10143

    Macrium Reflect includes an OpenSSL component that specifies an OPENSSLDIR variable as C:\openssl\. Macrium Reflect contains a privileged service that uses this OpenSSL component. Because unprivileged Windows users can create subdirectories off of the system root, a user can create the appropriate path to a specially-crafted openssl.cnf file to achieve arbitrary code execution with SYSTEM privileges.

    Impact

    By placing a specially-crafted openssl.cnf in the C:\openssl\ directory, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable Macrium software installed.

    Solution

    Apply an update

    This vulnerability is addressed in Macrium Reflect v7.3.5281.

    Acknowledgements

    This vulnerability was reported by Will Dormann of the CERT/CC.

    This document was written by Will Dormann.

  • VU#208577: Chocolatey Boxstarter is vulnerable to privilege escalation due to weak ACLs


    Overview

    Chocolatey Boxstarter fails to properly set ACLs, which can allow an unprivileged Windows user to be able to run arbitrary code with SYSTEM privileges.

    Description

    CVE-2020-15264

    The Chocolatey Boxstarter installer fails to set a secure access-control list (ACL) on the C:\ProgramData\Boxstarter directory, which is added to the system-wide PATH environment variable. A privilege escalation vulnerability is introduced since any location in the system-wide PATH environment variable may be used to load code that runs with privileges.

    Impact

    By placing a specially-crafted DLL file in the C:\ProgramData\Boxstarter directory, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable Boxstarter software installed. See DLL Search Order Hijacking for more details.

    Solution

    Apply an update

    This vulnerability is addressed in Chocolatey Boxstarter version 2.13.0. Please see the security advisory for more details.

    Acknowledgements

    This vulnerability was reported by Will Dormann of the CERT/CC.

    This document was written by Will Dormann.

  • VU#114757: Acronis backup software contains multiple privilege escalation vulnerabilities


    Overview

    Acronis True Image, Cyber Backup, and Cyber Protection all contain privilege escalation vulnerabilities, which can allow an unprivileged Windows user to be able to run arbitrary code with SYSTEM privileges.

    Description

    CVE-2020-10138

    Acronis Cyber Backup 12.5 and Cyber Protect 15 include an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory within C:\jenkins_agent\. Acronis Cyber Backup and Cyber Protect contain a privileged service that uses this OpenSSL component. Because unprivileged Windows users can create subdirectories off of the system root, a user can create the appropriate path to a specially-crafted openssl.cnf file to achieve arbitrary code execution with SYSTEM privileges.

    CVE-2020-10139

    Acronis True Image 2021 includes an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory within C:\jenkins_agent\. Acronis True Image contains a privileged service that uses this OpenSSL component. Because unprivileged Windows users can create subdirectories off of the system root, a user can create the appropriate path to a specially-crafted openssl.cnf file to achieve arbitrary code execution with SYSTEM privileges.

    CVE-2020-10140

    Acronis True Image 2021 fails to properly set ACLs of the C:\ProgramData\Acronis directory. Because some privileged processes are executed from the C:\ProgramData\Acronis directory, an unprivileged user can achieve arbitrary code execution with SYSTEM privileges by placing a DLL in one of several paths within C:\ProgramData\Acronis.

    Impact

    By placing a specially-crafted openssl.cnf or DLL file in a specific location, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable Acronis software installed. See DLL Search Order Hijacking for more details.

    Solution

    Apply an update

    These vulnerabilities are addressed in Acronis True Image 2021 build 32010 (release notes), Acronis Cyber Backup 12.5 build 16363 (release notes), and Acronis Cyber Protect 15 build 24600 (release notes).

    Acknowledgements

    This vulnerability was reported by Will Dormann of the CERT/CC. Acronis also credits HackerOne researchers @adr, @mmg, @vanitas, @xnand with independently discovering and reporting the vulnerabilities.

    This document was written by Will Dormann.