Acronis Cyber Protect: Rights escalation and information leakage possible

Acronis warns of vulnerabilities in the all-round security software Cyber Protect, which emerged from Acronis True Image. Attackers could abuse them to extend their rights or gain unauthorized access to information and even modify it. Updated software closes the security leaks.

Only the Cyber Protect Cloud Agent for Windows has two vulnerabilities that could allow malicious actors to escalate their privileges on the system. Acronis does not provide more detailed information, but on the one hand, privilege escalation is possible due to a search path without quotation marks (unquoted search path) (CVE-2024-34010, CVSS 8.2, risk"high"). In addition, some folders are assigned insecure rights, which also allows the extension of authorizations in the system (CVE-2024-34011, CVSS 6.8, medium).

Acronis agent vulnerable under Linux, macOS and Windows

Unspecified missing authorizations can lead to leakage or even manipulation of sensitive information (CVE-2023-48683,CVE-2023-48684, both CVSS 7.1, high). It remains unclear what attacks on the vulnerabilities might look like.

The C24.04 update for Acronis Cyber Protect Cloud Agent is intended to patch the vulnerabilities. After logging in to the company's website, the updated software can be downloaded from the customer account. As three of the vulnerabilities have been classified as high risk, a quick update is recommended. According to the release notes, this upgrades the clients to Acronis Cyber Protection Agent for Linux, Mac and Windows v.24.4.37758 - which is also mentioned in the security bulletins as the version that corrects the security-relevant errors.

Acronis last patched vulnerabilities in the Acronis Agent last October. The company's developers closed two security vulnerabilities with version C23.10: one that was classified as high risk and one that was classified as medium threat.

(dmk)