CVE-2021-32579 – This vulnerability allows an unauthenticated at... (How to Fix)

Q: What is the severity of CVE-2021-32579?

CVE-2021-32579 has a CVSS score of 7.8 (HIGH). This vulnerability allows an unauthenticated attacker with local code execution capability to tamper with the micro-service API in Acronis True Image backup software. This affects Windows users running versions prior to 2021 Update 4 and macOS users running versions prior to 2021 Update 5. The vulnerability enables API manipulation that could lead to further system compromise.

📋 TL;DR

This vulnerability allows an unauthenticated attacker with local code execution capability to tamper with the micro-service API in Acronis True Image backup software. This affects Windows users running versions prior to 2021 Update 4 and macOS users running versions prior to 2021 Update 5. The vulnerability enables API manipulation that could lead to further system compromise.

💻 Affected Systems

Products:

Acronis True Image

Versions: Windows: versions prior to 2021 Update 4; macOS: versions prior to 2021 Update 5

Operating Systems: Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires attacker to already have local code execution capability on the system.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through privilege escalation, data theft, or ransomware deployment via manipulated backup processes.

🟠

Likely Case

Local privilege escalation allowing attacker to execute arbitrary code with higher privileges than initially obtained.

🟢

If Mitigated

Limited impact if proper network segmentation and least privilege principles are enforced, restricting lateral movement.

🌐 Internet-Facing: LOW - This requires local code execution first, making direct internet exploitation unlikely.

🏢 Internal Only: HIGH - Once an attacker gains initial local foothold, this vulnerability enables significant privilege escalation within the affected system.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires local access first, but once obtained, the API tampering is unauthenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Windows: 2021 Update 4 or later; macOS: 2021 Update 5 or later

Vendor Advisory: https://kb.acronis.com/content/68413

Restart Required: Yes

Instructions:

1. Open Acronis True Image. 2. Click 'Check for updates' in the main interface. 3. Follow prompts to install the latest update. 4. Restart the system when prompted.

🔧 Temporary Workarounds

Disable Acronis True Image Service

all

Temporarily disable the vulnerable micro-service until patching can be completed.

Windows: sc stop "Acronis True Image Service"
macOS: sudo launchctl unload /Library/LaunchDaemons/com.acronis.trueimage.plist

🧯 If You Can't Patch

Implement strict application whitelisting to prevent unauthorized local code execution.
Apply network segmentation to isolate systems running vulnerable versions from critical assets.

🔍 How to Verify

Check if Vulnerable:

Check Acronis True Image version in application settings or About dialog.

Check Version:

Windows: Check Help > About in Acronis True Image; macOS: Open Acronis True Image > About Acronis True Image

Verify Fix Applied:

Verify version is Windows: 2021 Update 4 (build 39287) or later, macOS: 2021 Update 5 (build 39287) or later.

📡 Detection & Monitoring

Log Indicators:

Unusual API calls to Acronis micro-services
Suspicious process creation from Acronis executables

Network Indicators:

Unexpected network connections from Acronis processes to unusual destinations

SIEM Query:

process_name:"Acronis*" AND (event_type:"process_creation" OR event_type:"network_connection")

📊 Metadata

CVE ID: CVE-2021-32579

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: August 5, 2021

Last Updated: November 21, 2024

🔗 References

https://kb.acronis.com/content/68413 Vendor Advisory
https://kb.acronis.com/content/68419 Vendor Advisory
https://kb.acronis.com/content/68413 Vendor Advisory
https://kb.acronis.com/content/68419 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-32579, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

True Image by Acronis

True Image by Acronis

True Image by Acronis

True Image by Acronis

True Image by Acronis

True Image by Acronis

True Image by Acronis

True Image by Acronis

True Image by Acronis

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Acronis True Image Service

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities