what you don't know can hurt you

Acronis Cyber Backup 12.5 Build 16341 Server-Side Request Forgery

Acronis Cyber Backup 12.5 Build 16341 Server-Side Request Forgery
Posted Sep 16, 2020
Authored by Julien Ahrens | Site rcesecurity.com

Acronis Cyber Backup version 12.5 Build 16341 suffers from a server-side request forgery vulnerability.

tags | exploit
advisories | CVE-2020-16171
MD5 | 91fb344eebf7d5d7a6562e49e011ffc4

Acronis Cyber Backup 12.5 Build 16341 Server-Side Request Forgery

Change Mirror Download
RCE Security Advisory
https://www.rcesecurity.com


1. ADVISORY INFORMATION
=======================
Product: Acronis Cyber Backup
Vendor URL: https://www.acronis.com
Type: Server-Side Request Forgery [CWE-918]
Date found: 2020-07-30
Date published: 2020-09-14
CVSSv3 Score: 8.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L)
CVE: CVE-2020-16171


2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.


3. VERSIONS AFFECTED
====================
Acronis Cyber Backup v12.5 Build 16341
and below.


4. INTRODUCTION
===============
Businesses can be at risk of losing important data. Lost data leads to costly
downtime, customer dissatisfaction, regulatory fines, and lost revenue. As a
result, IT pros must meet extremely high expectations. You need to keep the
company running 24-hours a day.

Acronis Cyber Backup delivers the data protection that meets today’s demands. It
keeps your business running, protecting any workload, scaling without limits,
and saving you money.

(from the vendor's homepage)


5. VULNERABILITY DETAILS
========================
All API endpoints running on port 9877 under "/api/ams/" whereof some are
reachable without authentication, do accept an additional custom header called
"Shard":

def get_ams_address(headers):
if 'Shard' in headers:
[...]
return headers.get('Shard') # Mobile agent >= ABC5.0

The value of this header is afterwards to construct a separate web request send
by the application using a urllib.request.urlopen call:

def make_request_to_ams(resource, method, data=None):
port = config.CONFIG.get('default_ams_port', '9892')
uri = 'http://{}:{}{}'.format(get_ams_address(request.headers), port, resource)
logging.debug('Making request to AMS %s %s', method, uri)
headers = dict(request.headers)
del headers['Content-Length']
if not data is None:
headers['Content-Type'] = 'application/json'
req = urllib.request.Request(uri,
headers=headers,
method=method,
data=data)
resp = None
try:
resp = urllib.request.urlopen(req, timeout=wcs.web.session.DEFAULT_REQUEST_TIMEOUT)
except Exception as e:
logging.error('Cannot access ams {} {}, error: {}'.format(method, resource, e))
return resp

This can be abused to conduct SSRF attacks against otherwise unreachable internal hosts
of Acronis services that are bound to localhost such as the "NotificationService" running
on 127.0.0.1:30572 with a request header like:

Shard: localhost:30572/external_email?

For more details, see the referenced blog post.


6. RISK
=======
The vulnerability can be used by an unauthenticated or authenticated attacker
to query otherwise unreachable internal network resources. As demonstrated in
the corresponding blog post, using this vulnerability, it is possible to i.e.
(amongst others) send out fully customized emails or modify the application's
resource settings.


7. SOLUTION
===========
Update to v12.5 Build 16342


8. REPORT TIMELINE
==================
2020-07-30: Discovery of the vulnerability
2020-07-30: Since the vulnerability is fixed in Cyber Protect: Sent out a
request to the Vendor to check whether Cyber Backup is EOL and users
are advised to migrate to Cyber Protect instead.
2020-07-30: CVE requested from MITRE
2020-07-31: MITRE assigns CVE-2020-16171
2020-07-31: Public Disclosure date set to 2020-08-14
2020-08-04: Vendor asks for a 90 days extension
2020-08-04: Extension not granted because there is a fix available already. Public disclosure
date set to 2020-09-14
2020-09-05: Asking vendor about the status of the fix
2020-09-08: Vendor states that a fix has been backported to Cyber Backup 12.5 under the
reference ABR-202103
2020-09-14: Public disclosure



9. REFERENCES
=============
https://www.rcesecurity.com/2020/09/CVE-2020-16171-Exploiting-Acronis-Cyber-Backup-for-Fun-and-Emails/
https://dl.acronis.com/u/backup/rn/12.5/user/en-US/AcronisBackup12.5_relnotes.htm


Login or Register to add favorites

File Archive:

September 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    20 Files
  • 2
    Sep 2nd
    15 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    4 Files
  • 5
    Sep 5th
    1 Files
  • 6
    Sep 6th
    1 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    27 Files
  • 9
    Sep 9th
    7 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    9 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    25 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    15 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    12 Files
  • 19
    Sep 19th
    1 Files
  • 20
    Sep 20th
    1 Files
  • 21
    Sep 21st
    9 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close