CVE-2023-44158
📋 TL;DR
Acronis Cyber Protect 15 versions before build 35979 insufficiently mask token fields, potentially exposing sensitive authentication or session tokens. This affects all users of Acronis Cyber Protect 15 on both Linux and Windows platforms. Attackers could leverage exposed tokens to gain unauthorized access to protected systems or data.
💻 Affected Systems
- Acronis Cyber Protect 15
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of protected systems and data through token reuse, leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Unauthorized access to backup data, configuration information, or limited system access depending on token privileges.
If Mitigated
Minimal impact with proper network segmentation, monitoring, and quick patch deployment.
🎯 Exploit Status
Exploitation requires access to token data, which may be obtained through logs, error messages, or network interception.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Build 35979 or later
Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-4071
Restart Required: Yes
Instructions:
1. Download Acronis Cyber Protect 15 build 35979 or later from official Acronis sources. 2. Install the update following Acronis documentation. 3. Restart the Acronis Cyber Protect service or the entire system as required.
🔧 Temporary Workarounds
Restrict Access to Logs and Interfaces
allLimit access to Acronis management interfaces and log files to authorized personnel only.
Network Segmentation
allIsolate Acronis Cyber Protect systems from untrusted networks and implement strict firewall rules.
🧯 If You Can't Patch
- Monitor logs for unusual token exposure or unauthorized access attempts.
- Implement strict access controls and review all authentication mechanisms.
🔍 How to Verify
Check if Vulnerable:
Check the Acronis Cyber Protect version in the management console or via command line. If version is earlier than build 35979, the system is vulnerable.Check Version:
On Windows: Check via Acronis Management Console. On Linux: Check via acronis_cyber_protect --version or consult installation logs.Verify Fix Applied:
Confirm the version shows build 35979 or later in the management interface.📡 Detection & Monitoring
Log Indicators:
- Unusual token strings in logs
- Multiple failed authentication attempts followed by successful access
- Access from unexpected IP addresses
Network Indicators:
- Unusual traffic patterns to/from Acronis management ports
- Token strings in cleartext network traffic
SIEM Query:
source="acronis_logs" AND (token OR authentication) AND (exposed OR cleartext)