CVE-2020-10138 in Cyber Backup
Summary
by MITRE • 10/21/2020
Acronis Cyber Backup 12.5 and Cyber Protect 15 include an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory within C:\jenkins_agent\. Acronis Cyber Backup and Cyber Protect contain a privileged service that uses this OpenSSL component. Because unprivileged Windows users can create subdirectories off of the system root, a user can create the appropriate path to a specially-crafted openssl.cnf file to achieve arbitrary code execution with SYSTEM privileges.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 11/25/2020
The vulnerability identified as CVE-2020-10138 affects Acronis Cyber Backup 12.5 and Cyber Protect 15 products, representing a critical privilege escalation flaw that leverages improper directory handling within the OpenSSL component. This vulnerability resides in the way the software manages the OPENSSLDIR variable, which is configured to point to a subdirectory within C:\jenkins_agent\. The flaw stems from the insecure default configuration that allows unprivileged users to manipulate the directory structure, creating a path that can be exploited to execute arbitrary code with SYSTEM privileges. The vulnerability is particularly concerning because it directly impacts a backup and protection solution that typically operates with elevated privileges and handles sensitive data across enterprise environments.
The technical implementation of this vulnerability exploits a well-known weakness in path resolution and privilege management within Windows systems. The OpenSSL component within Acronis Cyber Backup and Cyber Protect initializes with an OPENSSLDIR variable pointing to C:\jenkins_agent\, which serves as a hardcoded path that lacks proper security controls. When the privileged service executes, it processes this OpenSSL configuration without sufficient validation or sandboxing, allowing any local user to create the necessary directory structure and place a malicious openssl.cnf file in the path. This creates a classic path traversal and privilege escalation scenario where a low-privilege user can manipulate the configuration environment to gain SYSTEM-level access. The vulnerability aligns with CWE-22 Path Traversal and CWE-787 Out-of-bounds Write, as it involves improper handling of directory paths and configuration file processing. The attack vector specifically relates to the ATT&CK technique T1068 Privilege Escalation through exploitation of a vulnerability in a service or application that runs with elevated privileges.
The operational impact of CVE-2020-10138 extends beyond simple privilege escalation to encompass complete system compromise and data exfiltration capabilities. An attacker who gains access to a low-privilege account within an organization can leverage this vulnerability to obtain SYSTEM-level control over backup servers, potentially compromising the entire backup infrastructure and gaining access to sensitive data that has been backed up. The implications are particularly severe for enterprise environments where backup systems often contain critical business data, system configurations, and user credentials. The vulnerability undermines the security posture of organizations relying on Acronis solutions, as it allows attackers to bypass traditional security controls and escalate privileges without requiring additional attack vectors or exploitation techniques. Organizations using these products face the risk of complete system compromise, data theft, and potential lateral movement within their networks, as the SYSTEM privileges obtained through this vulnerability provide unrestricted access to all system resources and services.
Mitigation strategies for CVE-2020-10138 require immediate action to address the root cause through proper configuration management and privilege controls. Organizations should immediately apply the vendor-provided patches and updates for Acronis Cyber Backup 12.5 and Cyber Protect 15 to resolve the OpenSSL directory handling issue. In the interim, system administrators should implement strict directory permissions and access controls, ensuring that the C:\jenkins_agent\ directory and its subdirectories are properly secured with appropriate access controls. The privileged service should be configured to run with minimal required privileges, and the OPENSSLDIR variable should be explicitly set to a secure location that cannot be manipulated by unprivileged users. Network segmentation and monitoring should be enhanced to detect suspicious directory creation activities and potential exploitation attempts. Additionally, organizations should conduct thorough security assessments of their backup infrastructure, review service account permissions, and implement proper file integrity monitoring to detect unauthorized changes to critical configuration files. The vulnerability highlights the importance of secure coding practices and proper privilege management in enterprise security solutions, emphasizing that applications handling sensitive data must be designed with security in mind to prevent such critical escalation paths.