<
>

Acronis True Image Security Vulnerability Leaves Millions of Users At Risk

A security vulnerability was recently discovered in Acronis True Image which could potentially allow an authenticated attacker to execute arbitrary code on a victim’s device with administrator privileges. The exploit is made possible as Acronis True Image fails to securely check for and retrieve updates, with versions through and including 2017 Build 8053 of the program allowed to perform update operations over unprotected HTTP channels. Downloaded updates are not validated beyond verifying the server-provided MD5 hash.

That means an attacker on the same network as an Acronis True Image user is able to manipulate the True Image update process to perform a Man-In-The-Middle (MITM) attack and take advantage of administrator privileges for fraudulent purposes. The vulnerability, with a CVSS base score of 8.3, is officially designated CVE-2017-3219 and ranked as being of "High Severity" by CERT.

Acronis True Image is a disk backup utility software for Windows and Mac systems, with over 5 million users worldwide. The latest iteration of the backup solution, Acronis True Image 2017, was released earlier this year, introducing new features such as anti-ransomware and blockchain-based capabilities. The software was touted as having integrated both backup and security by incorporating leading edge technologies to help users thwart a range of cyber threats and minimise any potential data loss.

But if the backup and protection software itself exposes users to security threats and data breaches, then the company certainly has a lot of explaining to do. For the moment, Acronis is fortunate that the vulnerability has not been widely reported.

Currently there’s no known solution to the problem. Users of Acronis True Image are advised to obtain all of their updates directly from the Acronis web site and to avoid using untrusted networks.

Editor's Comment: 

Since we published this article, Acronis got back to us with the following statement:

"Acronis is aware of a minor security issue related to Acronis True Image (versions 2017 Build 8053 and earlier) that was reported by our colleagues at CERT Coordination Center (CERT/CC) at Carnegie Mellon University's Software Engineering Institute.
 
We immediately fixed the vulnerability, prepared a patch for our newest update, and are currently notifying users of the issue.
 
While the threat to users is considered low-risk since multiple, rare occurrences would need to happen in order for someone to exploit the vulnerability, we are urging all Acronis True Image customers to apply the patch by opening the application and selecting Check for Updates.
 
Acronis takes data protection very seriously, which is why we have acted so quickly to respond to this threat. We will examine this incident further to ensure no similar vulnerabilities exist in our products."
You might also like
Most comment
share us your thought

0 Comment Log in or register to post comments