CVE-2024-34014
📋 TL;DR
This vulnerability allows attackers to overwrite arbitrary files during recovery operations due to improper symbolic link handling in Acronis backup plugins. It affects Acronis backup plugins for cPanel & WHM, Plesk, and DirectAdmin on Linux systems. Attackers could potentially escalate privileges or modify critical system files.
💻 Affected Systems
- Acronis Backup plugin for cPanel & WHM (Linux)
- Acronis Backup extension for Plesk (Linux)
- Acronis Backup plugin for DirectAdmin (Linux)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through privilege escalation or modification of critical system files like /etc/passwd or /etc/shadow, leading to root access.
Likely Case
Local privilege escalation allowing attackers to gain higher privileges than intended, potentially compromising the hosting control panel environment.
If Mitigated
Limited impact with proper file permissions and isolation, potentially only affecting non-critical files within the backup plugin's scope.
🎯 Exploit Status
Exploitation requires local access to the system and knowledge of symbolic link attacks. No public exploit code has been disclosed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Acronis Backup plugin for cPanel & WHM (Linux) build 1.8.3.818 or 1.9.1.892, Acronis Backup extension for Plesk (Linux) build 1.8.6.599, Acronis Backup plugin for DirectAdmin (Linux) build 1.2.2.181
Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-7592
Restart Required: No
Instructions:
1. Log into your hosting control panel (cPanel/WHM, Plesk, or DirectAdmin). 2. Navigate to the plugin/extension management section. 3. Check for updates to the Acronis Backup plugin. 4. Update to the patched version. 5. Verify the update was successful.
🔧 Temporary Workarounds
Disable symbolic link following
linuxConfigure the system to prevent symbolic link attacks by restricting symlink following in relevant directories
chmod -R 755 /path/to/backup/directory
find /path/to/backup/directory -type l -delete
Restrict file permissions
linuxSet strict file permissions on backup directories to prevent unauthorized file modifications
chown root:root /path/to/backup/directory
chmod 700 /path/to/backup/directory
🧯 If You Can't Patch
- Temporarily disable the Acronis backup plugin until patching is possible
- Implement strict access controls and monitor for suspicious file modification attempts
🔍 How to Verify
Check if Vulnerable:
Check the plugin version in your hosting control panel's plugin management interface and compare against affected versionsCheck Version:
Check via hosting control panel interface; no universal CLI command availableVerify Fix Applied:
Verify the plugin version shows as patched (1.8.3.818+, 1.9.1.892+, 1.8.6.599+, or 1.2.2.181+ depending on product)📡 Detection & Monitoring
Log Indicators:
- Unusual file modification patterns in backup directories
- Multiple failed recovery attempts
- Unexpected symbolic link creation in backup paths
Network Indicators:
- None - this is a local file system vulnerability
SIEM Query:
source="acronis_backup.log" AND (event="file_overwrite" OR event="symlink_detected")