CVE-2021-32577 – CVE-2021-32577 is a local privilege escalation ... (How to Fix)

Q: What is the severity of CVE-2021-32577?

CVE-2021-32577 has a CVSS score of 7.8 (HIGH). CVE-2021-32577 is a local privilege escalation vulnerability in Acronis True Image for Windows where insecure folder permissions allow authenticated local users to gain SYSTEM privileges. This affects all Windows users running Acronis True Image versions prior to 2021 Update 5. Attackers need local access to the system to exploit this vulnerability.

📋 TL;DR

CVE-2021-32577 is a local privilege escalation vulnerability in Acronis True Image for Windows where insecure folder permissions allow authenticated local users to gain SYSTEM privileges. This affects all Windows users running Acronis True Image versions prior to 2021 Update 5. Attackers need local access to the system to exploit this vulnerability.

💻 Affected Systems

Products:

Acronis True Image

Versions: All versions prior to 2021 Update 5

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Windows versions of Acronis True Image. Requires local authenticated access to exploit.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains full SYSTEM privileges, enabling complete system compromise, data theft, persistence mechanisms, and lateral movement capabilities.

🟠

Likely Case

Malicious insider or malware with user-level access escalates to SYSTEM to install additional malware, disable security controls, or access protected resources.

🟢

If Mitigated

With proper access controls and monitoring, exploitation attempts can be detected and contained before significant damage occurs.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring authenticated local access, not remotely exploitable.

🏢 Internal Only: HIGH - Any compromised user account or malware with local execution can exploit this to gain full system control.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation involves manipulating folder permissions and executing code with elevated privileges. Requires local authenticated access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2021 Update 5 or later

Vendor Advisory: https://kb.acronis.com/content/68413

Restart Required: Yes

Instructions:

1. Open Acronis True Image. 2. Click 'Help' > 'Check for updates'. 3. Install Update 5 or later. 4. Restart the system.

🔧 Temporary Workarounds

Remove vulnerable software

windows

Uninstall Acronis True Image if not required

Control Panel > Programs > Uninstall a program > Select Acronis True Image > Uninstall

Restrict folder permissions

windows

Manually secure the vulnerable folder permissions

icacls "C:\ProgramData\Acronis\TrueImageHome" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" /grant:r "Administrators:(OI)(CI)F" /grant:r "Users:(OI)(CI)RX"

🧯 If You Can't Patch

Implement strict access controls and monitoring for local user activities
Use application whitelisting to prevent unauthorized execution from vulnerable directories

🔍 How to Verify

Check if Vulnerable:

Check Acronis True Image version in Help > About. If version is earlier than 2021 Update 5, system is vulnerable.

Check Version:

wmic product where "name like 'Acronis True Image%'" get version

Verify Fix Applied:

Verify version is 2021 Update 5 or later in Help > About. Check folder permissions on C:\ProgramData\Acronis\TrueImageHome are properly restricted.

📡 Detection & Monitoring

Log Indicators:

Windows Event Logs showing privilege escalation attempts
Process creation events from Acronis directories with SYSTEM privileges
File permission changes in Acronis directories

Network Indicators:

No network indicators - local exploitation only

SIEM Query:

EventID=4688 AND NewProcessName CONTAINS 'Acronis' AND SubjectUserName!=SYSTEM AND TokenElevationType=%%1938

📊 Metadata

CVE ID: CVE-2021-32577

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-732

Published: August 5, 2021

Last Updated: November 21, 2024

🔗 References

https://kb.acronis.com/content/68413 Vendor Advisory
https://kb.acronis.com/content/68413 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-32577, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

True Image by Acronis

True Image by Acronis

True Image by Acronis

True Image by Acronis

True Image by Acronis

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Remove vulnerable software

Restrict folder permissions

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities