CVE-2024-49382
📋 TL;DR
The archive-server service in Acronis Cyber Protect 16 binds to an unrestricted IP address, exposing unnecessary network attack surface. This affects Acronis Cyber Protect 16 installations on Linux and Windows systems before build 38690. Attackers could potentially exploit this to gain unauthorized access to the service.
💻 Affected Systems
- Acronis Cyber Protect 16
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote attackers could exploit other vulnerabilities in the archive-server service that would otherwise be inaccessible, potentially leading to data theft, system compromise, or ransomware deployment.
Likely Case
Increased attack surface makes the system more vulnerable to network-based attacks, potentially allowing unauthorized access to backup archives or service disruption.
If Mitigated
With proper network segmentation and firewall rules, the risk is limited to internal attackers who already have network access to the vulnerable system.
🎯 Exploit Status
While no public exploit exists, the vulnerability lowers the barrier for other attacks by exposing the service unnecessarily.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Build 38690 or later
Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-7286
Restart Required: Yes
Instructions:
1. Update Acronis Cyber Protect 16 to build 38690 or later. 2. Restart the archive-server service. 3. Verify the service now binds only to intended interfaces.
🔧 Temporary Workarounds
Restrict network access with firewall
allConfigure firewall rules to restrict access to the archive-server service only from authorized IP addresses/networks.
# Linux example: iptables -A INPUT -p tcp --dport <archive-server-port> -s <authorized-ip> -j ACCEPT
# Windows example: New-NetFirewallRule -DisplayName 'Restrict Acronis Archive Server' -Direction Inbound -LocalPort <archive-server-port> -RemoteAddress <authorized-ip> -Protocol TCP -Action Allow
Bind to specific interface
allConfigure the archive-server service to bind only to specific network interfaces instead of all interfaces.
# Check Acronis documentation for specific configuration options to bind to specific IP addresses
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the Acronis server from untrusted networks
- Deploy host-based firewall rules to restrict inbound connections to the archive-server port
🔍 How to Verify
Check if Vulnerable:
Check Acronis Cyber Protect version: On Windows, check Control Panel > Programs > Acronis Cyber Protect. On Linux, check installed package version. If version is earlier than build 38690, the system is vulnerable.Check Version:
# Windows: wmic product where name='Acronis Cyber Protect' get version
# Linux: rpm -qa | grep acronis-cyber-protect or dpkg -l | grep acronis-cyber-protectVerify Fix Applied:
After updating to build 38690 or later, verify the archive-server service is running and check network connections to confirm it's not listening on all interfaces.📡 Detection & Monitoring
Log Indicators:
- Unexpected connection attempts to archive-server port from unauthorized IP addresses
- Failed authentication attempts to archive-server service
Network Indicators:
- Network scans targeting the archive-server port (default 9876)
- Unexpected outbound connections from archive-server to external systems
SIEM Query:
source='acronis-logs' AND (event_type='connection_attempt' OR event_type='auth_failure') AND dest_port=9876