Unauthenticated web security vulnerability resolved
A serious security vulnerability affecting Acronis Cyber Backup might have allowed attackers to send spoofed emails containing malicious attachments under of the guise of backup failure notifications.
The issue, discovered by security researcher Julien Ahrens of RCE Security, stemmed from a server-side request forgery (SSRF) vulnerability in the web-facing components of the data backup technology.
In a detailed technical write-up, Ahrens explains how an unauthenticated SSRF in Acronis Cyber Backup had a severe application logic impact.
The recently resolved flaw allowed an attacker to send fully customizable emails to any recipient by “abusing a web service that is bound to localhost”, Ahrens explains.
RECOMMENDED Databases, cloud storage, and more at risk from exposed access keys
“The fun thing about this issue is that the emails can be sent as backup indicators, including fully customizable attachments,” he added.
“Imagine sending Acronis ‘Backup Failed’ emails to the whole organization with a nice backdoor attached to it?”
Ahrens reported the issue to Acronis, which resolved the issue. Users need to upgrade to Acronis Cyber Backup up to v12.5 Build 16341 or later to avoid potential problems.
In its release notes last week, Acronis acknowledged Ahrens for discovering “security vulnerability that allows attackers to send HTTP requests in the local network via Acronis Management Server”.
Ahrens uncovered the vulnerability using source code review and without needing to obtain the product for testing himself.
The Daily Swig has put out follow-up questions to both Ahrens and Acronis. We’ll update this story as and when more information comes to hand.
READ MORE Vulnerability in WordPress email marketing plugin patched