CVE-2021-34800
📋 TL;DR
Acronis Agent versions before build 27147 on Windows, Linux, and macOS can log sensitive information to system logs. This vulnerability allows attackers with access to log files to potentially obtain credentials or other confidential data. All organizations using affected Acronis Agent versions are at risk.
💻 Affected Systems
- Acronis Agent
📦 What is this software?
Agent by Acronis
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain access to administrative credentials or encryption keys from logs, leading to full system compromise and data exfiltration.
Likely Case
Unauthorized users with log access obtain sensitive configuration details or limited credentials, enabling further reconnaissance or privilege escalation.
If Mitigated
With proper log access controls and monitoring, impact is limited to information disclosure without direct system compromise.
🎯 Exploit Status
Exploitation requires access to log files, which typically means some level of system access is already obtained. No public exploit code has been identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Build 27147 or later
Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-3145
Restart Required: Yes
Instructions:
1. Download Acronis Agent build 27147 or later from official Acronis sources. 2. Install the update following standard procedures. 3. Restart the Acronis Agent service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict Log File Access
allSet strict file permissions on Acronis Agent log directories to prevent unauthorized access.
chmod 600 /var/log/acronis/* (Linux/macOS)
icacls "C:\ProgramData\Acronis\Logs" /deny "Users:(R,W)" (Windows)
Disable Detailed Logging
allConfigure Acronis Agent to use minimal logging that excludes sensitive information.
Edit configuration file to set log_level=ERROR or WARNING
🧯 If You Can't Patch
- Implement strict access controls on log directories and files
- Monitor log files for unauthorized access attempts and review existing logs for exposed sensitive data
🔍 How to Verify
Check if Vulnerable:
Check Acronis Agent version: On Windows - Check Programs and Features; On Linux/macOS - Run 'acronis_agent --version' or check installed package version.Check Version:
acronis_agent --version (Linux/macOS) or check installed version in Control Panel (Windows)Verify Fix Applied:
Confirm version is 27147 or later and test that sensitive information no longer appears in logs during normal operations.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to Acronis log files
- Log entries containing credentials or sensitive configuration data
Network Indicators:
- Unusual outbound connections from systems running Acronis Agent
SIEM Query:
source="acronis_logs" AND (event_type="access_denied" OR keywords="password","secret","key")