CVE-2023-41742
📋 TL;DR
This vulnerability allows attackers to exploit Acronis Agent and Acronis Cyber Protect 15 by binding to unrestricted IP addresses, creating an excessive attack surface. Affected systems include Acronis Agent (Linux, macOS, Windows) before build 30430 and Acronis Cyber Protect 15 (Linux, macOS, Windows) before build 35979.
💻 Affected Systems
- Acronis Agent
- Acronis Cyber Protect 15
📦 What is this software?
Agent by Acronis
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise and lateral movement across the network
Likely Case
Unauthorized access to sensitive data and potential privilege escalation
If Mitigated
Limited impact with proper network segmentation and access controls
🎯 Exploit Status
The vulnerability involves binding to unrestricted IP addresses, making exploitation relatively straightforward for attackers with network access
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Acronis Agent build 30430+, Acronis Cyber Protect 15 build 35979+
Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-4351
Restart Required: Yes
Instructions:
1. Download latest version from Acronis portal 2. Install update 3. Restart affected services 4. Verify successful update
🔧 Temporary Workarounds
Network Segmentation
linuxRestrict network access to Acronis services using firewall rules
iptables -A INPUT -p tcp --dport [Acronis_port] -s [trusted_network] -j ACCEPT
iptables -A INPUT -p tcp --dport [Acronis_port] -j DROP
Windows Firewall Restriction
windowsLimit Acronis service ports to trusted networks only
New-NetFirewallRule -DisplayName "Block Acronis External" -Direction Inbound -Protocol TCP -LocalPort [Acronis_port] -RemoteAddress NotLocalSubnet -Action Block
🧯 If You Can't Patch
- Implement strict network segmentation and firewall rules to limit access to Acronis services
- Monitor network traffic to/from Acronis services for suspicious activity and unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check Acronis Agent version: acronis_agent --version or check installed build number in Acronis Cyber Protect consoleCheck Version:
acronis_agent --version (Linux/macOS) or check Programs and Features (Windows)Verify Fix Applied:
Verify version is 30430+ for Agent or 35979+ for Cyber Protect 15, and confirm services are not binding to unrestricted addresses📡 Detection & Monitoring
Log Indicators:
- Unusual network connections to Acronis services
- Failed authentication attempts to Acronis ports
- Unexpected process execution from Acronis binaries
Network Indicators:
- Unusual traffic patterns to Acronis service ports
- Connection attempts from unauthorized IP ranges
- Port scanning activity targeting Acronis ports
SIEM Query:
source="acronis_logs" AND (event_type="connection" AND src_ip NOT IN [trusted_networks]) OR (event_type="authentication_failure")