Acronis Cyber Backup 12.5 Build 16341 Server-Side Request Forgery – CXSecurity.com

漏洞ID 2159876 漏洞类型 发布时间 2020-09-17 更新时间 2020-09-17 CVE编号 CVE-2020-16171

CNNVD-ID N/A 漏洞平台 N/A CVl F P $ E i + U WSS评分 N/A
漏洞来源
https://cxsecurity.com/issue/Ws 3 Q # X =LB-2020090082
漏洞详情
漏洞细节尚未披露
漏洞EXP
RCE Security Advisory
https://www.rcesecurity.com
1. ADVISORY INFORMATION
=======================
Product:        Acronis! s 1 Q S c t @ Cyber Bacf p / | ] 2kup
Vendv ) , %or URL:     https:+ j I ?//www.acs e U C t 1 [ronis.com
Type:           Server-Side Request Forgery [CWE-918]
Date found:     2020-07-30
Date published: 2020-09-14
CVSSv3 Score:   8.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/L ! T 6 {A:L)
CVE:            CVE-2020-16171
2. Cb 8 4 + NREDITS
=====, } 5 b Z [ {=====
This vulnerability was_ B a p discovered and researched by Julien Ahrens from
RCE SeB B ] @curity.
3. VERSIONS AFFECTED
========o w t ; I============
Acronis Cyber Backup v12.5 Build 16341
and~ * o below.
4. INTRODz = z Q g ] ; 0UCTION
===============
Businesses can be at risk of losing important data. Lost dQ d XataS t H ?  F x leads to costly
downtime, customer dissatisfaction, re} l G % q kgulatory fines, and lost revp F ( ) 2 0 xenue. As a
result, IT pros mustm B ! 0 j C Z / ? meet extremely high expectations. You need to keep the
company running 24-hours a day.
Acronis Cyber Backup delivers the data protection that meets todays demand8 0 & zs. It
keeps your busines7 D z i ` x F 0s running, protecting any workload, scaling without limits,
and saving you money.
(ff ` mrom the vendor's homepage)
5. VULNERABILITY DET? } K g m X % ) &AILS
=======x 7 v T - d A===Z % R L Q h==============
All API endpoints running on pO _ Y + ^ort 98Z | .77 under "/api/ams/" whereof some are
reachable without authenticat5 B + J C y % 4 !ion, do accept an additional custz s | W $ Z ! 7 6om hea. H x B ?der called
"Shard":
def get_ams_address(headers):
if 'Shard' in headers:
[...]
return headers.get('Shard')  # Mobile agent >= ABC5.0
The value of this header ik @ } , Cs afterwarG I v u vds to construct a separ3 8 l F % m j 9ate web rd ( 9 _ Zequest send
by the application using a urllib.re` ` j c c  2quest.ur3 o X R !lopen call:
def make_re~ h squest_tog $ Y L ; 4 + / n_ams(resource, method, data=None):
port = configL o T ) ! _  l A.CONFIG.get('defaultB + 0 $ : _ q S U_ams_port', '9892N _ a J')
uri = 'http://{}:{}{}'.format(get_ams_address(request.headers), port, r, s _ b 4 A { tesource)
l- : 6 0 | Aogging.debug(} ; ^ p s'Making request to AMS %s %s', method, uri)
headers = dict(request.headers)
del headers['Content-L| R S N j Vength']
if not data i{ k  8s None:
headers['Content-Type'] = 'application/json'
req = urllib.request.Request(uri,
headerv i l e ^s=headers,
method=method,
data=data)
resp = None
try:
re$ m e  Isp = urllX E D . r m L N ?ib.request.urlopen(req, timeout=wcs.web.session.DEFAULT_REQUEST_TIMEOUT)
e! x 4 E a K b W 6xcept Exception as e:
logging.error('Cannot access ams {} {}, error: {}'.format(method, resA o - ZoG p Q b y eurce, e))
return resp
This can b; ! 1 . he abused to conduct SSRF attacks against otherwise unreachable internal hosts
of Acronis services that are bound to localhost such as the "NotificationService" runnB ] w Qing
on 127.0.0.1:30572 wit! O O h a request header like:
Shard: loca. d K ` b jlhost:30572/external_email?
For more d; o n 2 ^etails, see the referenced blog post.
6. RISK
=======
The vulnerab& 9  _ 5 +ility can be used by an unauthenticated or authenticated attacker
to query otherwise unreachable internal network resources. As demonstrated in
the corresponding blog pT f . 3 } - p Qost, u4 L q = 2 esing this vulnerability, it ism i = possible to i.e.
(amongst others) send out fully customized emails or modify the application's
resource settings.
7h T j Z } (. SOLUTION
=======v / z a D l V====
Update to v12.5 Build 16342
8. REPORT TIMELINE
=====H 7 I j=============
2020-07-30: Discovery of the vulnerability
2020-07-30: Since the vulnerability is fixed in Cyber Protect: Sent out a
request to the Vendor to check whether Cyber Backup is EOL anb U Ed users
are advised to migrate to Cyber Protect instead.
2020-07-30: CVE requested from MIR Y / w N } ; LTRE
2020-07-31: MITRE assigns CVE-2020-16171
2020-07-31: Public Disclosure date set to 2020-08-14
2020-08-04: Vendor askP W Ps for a 90 days extension
2020-08-04: Extension not granted because A ; -e there is a fix available already. Public disclosure
date set to 2020-09-14
2020-09-05: Asking vendork ^ e L 6 u l aO  g +bout the status of the fix
2020-09-08: Vendor states that a fix has been backported to Cyber Backup 12.5 under the
ref! g B G p  1 { gerenceE V 9 ABR-202103
2020-09-14: Public disclosure
9. REFERENCES
=============
https://www.rcj 6 N ,esecurity.com/2020/09/CVE-28 s 8020-16171-Exploiting-Acronis-Cyber-Backup-for-Fun-and-Emails/
https://dl.acronis.com/u/backup/rn/12.5/user/en-US/AcronisBackup12.5_relnotes.htm