CVE-2023-5042
📋 TL;DR
This vulnerability allows local attackers to access sensitive information due to insecure folder permissions in Acronis Cyber Protect Home Office for Windows. Attackers can read files containing credentials, configuration data, and other sensitive information. Only Windows users of Acronis Cyber Protect Home Office are affected.
💻 Affected Systems
- Acronis Cyber Protect Home Office
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of Acronis-related credentials and sensitive system information, potentially leading to privilege escalation or lateral movement within the network.
Likely Case
Local attackers gain access to backup credentials, configuration files, and potentially other sensitive data stored in improperly secured folders.
If Mitigated
Minimal impact with proper access controls and patching; sensitive data remains protected from unauthorized local access.
🎯 Exploit Status
Exploitation requires local access to the system but is technically simple once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Build 40713 or later
Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-5330
Restart Required: Yes
Instructions:
1. Open Acronis Cyber Protect Home Office. 2. Check for updates in the application. 3. Install update to build 40713 or later. 4. Restart the system as prompted.
🔧 Temporary Workarounds
Manual Folder Permission Restriction
windowsManually adjust folder permissions to restrict access to Acronis installation directories
icacls "C:\Program Files\Acronis\" /inheritance:r /grant:r "%USERNAME%":(OI)(CI)F /grant:r "SYSTEM":(OI)(CI)F /grant:r "Administrators":(OI)(CI)F
🧯 If You Can't Patch
- Implement strict access controls and monitor for unauthorized local access attempts
- Isolate affected systems from sensitive networks and implement application whitelisting
🔍 How to Verify
Check if Vulnerable:
Check Acronis Cyber Protect Home Office version in the application's About section or look for build number in installed programs list.Check Version:
wmic product where "name like 'Acronis Cyber Protect Home Office%'" get versionVerify Fix Applied:
Verify version is build 40713 or later and check that Acronis installation folder permissions are properly restricted.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to Acronis program folders
- Failed permission change attempts on Acronis directories
Network Indicators:
- N/A - Local vulnerability only
SIEM Query:
EventID=4663 AND ObjectName LIKE '%Acronis%' AND Accesses LIKE '%ReadData%'