A security vulnerability was recently discovered in Acronis True Image which could potentially allow an authenticated attacker to execute arbitrary code on a victim’s device with administrator privileges. The exploit is made possible as Acronis True Image fails to securely check for and retrieve updates, with versions through and including 2017 Build 8053 of the program allowed to perform update operations over unprotected HTTP channels. Downloaded updates are not validated beyond verifying the server-provided MD5 hash.
That means an attacker on the same network as an Acronis True Image user is able to manipulate the True Image update process to perform a Man-In-The-Middle (MITM) attack and take advantage of administrator privileges for fraudulent purposes. The vulnerability, with a CVSS base score of 8.3, is officially designated CVE-2017-3219 and ranked as being of "High Severity" by CERT.
Acronis True Image is a disk backup utility software for Windows and Mac systems, with over 5 million users worldwide. The latest iteration of the backup solution, Acronis True Image 2017, was released earlier this year, introducing new features such as anti-ransomware and blockchain-based capabilities. The software was touted as having integrated both backup and security by incorporating leading edge technologies to help users thwart a range of cyber threats and minimise any potential data loss.
But if the backup and protection software itself exposes users to security threats and data breaches, then the company certainly has a lot of explaining to do. For the moment, Acronis is fortunate that the vulnerability has not been widely reported.
Currently there’s no known solution to the problem. Users of Acronis True Image are advised to obtain all of their updates directly from the Acronis web site and to avoid using untrusted networks.
Since we published this article, Acronis got back to us with the following statement: