CVE-2024-49384
📋 TL;DR
The acep-collector service in affected Acronis Cyber Protect 16 versions binds to an unrestricted IP address, exposing unnecessary network attack surface. This allows attackers on the same network to potentially interact with the service. All users of Acronis Cyber Protect 16 before build 38690 on Linux and Windows are affected.
💻 Affected Systems
- Acronis Cyber Protect 16
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could exploit other vulnerabilities in the exposed service or perform denial-of-service attacks against the collector service.
Likely Case
Increased attack surface enabling reconnaissance and potential exploitation of other vulnerabilities in the service.
If Mitigated
Minimal impact if proper network segmentation and firewall rules restrict access to the service.
🎯 Exploit Status
This vulnerability primarily increases attack surface; actual exploitation would require additional vulnerabilities in the exposed service.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Build 38690 or later
Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-7284
Restart Required: Yes
Instructions:
1. Download and install Acronis Cyber Protect 16 build 38690 or later from the Acronis portal. 2. Apply the update through the management console. 3. Restart affected systems to ensure the acep-collector service runs with the patched configuration.
🔧 Temporary Workarounds
Restrict network access with firewall
allConfigure host or network firewalls to restrict access to the acep-collector service port (default 9876) to only trusted management systems.
# Linux example: iptables -A INPUT -p tcp --dport 9876 -s trusted_ip -j ACCEPT
# Windows example: New-NetFirewallRule -DisplayName "Restrict Acronis Collector" -Direction Inbound -LocalPort 9876 -Protocol TCP -RemoteAddress trusted_ip -Action Allow
Bind to localhost only
allConfigure the acep-collector service to bind only to localhost/127.0.0.1 instead of all interfaces.
# Edit service configuration to set bind address to 127.0.0.1
# Location varies by OS and installation
🧯 If You Can't Patch
- Implement strict network segmentation to isolate systems running vulnerable Acronis Cyber Protect versions.
- Deploy host-based firewalls to restrict inbound connections to the acep-collector service port (default 9876) to only necessary management systems.
🔍 How to Verify
Check if Vulnerable:
Check the Acronis Cyber Protect version in the management console or run 'acronis_cyber_protect_console --version' on Linux systems. Versions before build 38690 are vulnerable.Check Version:
acronis_cyber_protect_console --versionVerify Fix Applied:
Verify the installed version is build 38690 or later and check that the acep-collector service is not binding to 0.0.0.0 using 'netstat -an | grep :9876' on Linux or 'netstat -an | findstr :9876' on Windows.📡 Detection & Monitoring
Log Indicators:
- Unusual connection attempts to port 9876 from unauthorized IP addresses
- Service restart events for acep-collector
Network Indicators:
- Network scans targeting port 9876
- Unexpected traffic to the acep-collector service from non-management systems
SIEM Query:
destination_port:9876 AND NOT (source_ip IN [trusted_management_ips])