CVE-2020-10139 in True Image
Summary
by MITRE • 10/21/2020
Acronis True Image 2021 includes an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory within C:\jenkins_agent\. Acronis True Image contains a privileged service that uses this OpenSSL component. Because unprivileged Windows users can create subdirectories off of the system root, a user can create the appropriate path to a specially-crafted openssl.cnf file to achieve arbitrary code execution with SYSTEM privileges.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 11/25/2020
The vulnerability CVE-2020-10139 represents a critical privilege escalation flaw in Acronis True Image 2021 that leverages improper directory handling within the OpenSSL component. This issue stems from the OpenSSL library's configuration where the OPENSSLDIR variable is hardcoded to point to a subdirectory within C:\jenkins_agent\, creating an exploitable path traversal condition. The vulnerability exists because the application's privileged service executes with SYSTEM privileges while relying on an OpenSSL configuration that does not properly validate directory paths, allowing local attackers to manipulate the certificate authority configuration file.
The technical implementation of this vulnerability exploits the fundamental principle of insecure directory permissions within Windows systems. Attackers can create symbolic links or directly establish the required directory structure C:\jenkins_agent\ within the system root, then place a malicious openssl.cnf file that redirects certificate validation to arbitrary locations. This configuration allows the privileged service to load and execute code from attacker-controlled locations, effectively bypassing standard user permissions and elevating privileges to SYSTEM level. The flaw specifically relates to CWE-22 Path Traversal and CWE-73 Path Traversal in the context of directory creation and file resolution.
The operational impact of this vulnerability extends beyond simple privilege escalation as it provides attackers with complete system compromise capabilities. Once executed, the malicious code can manipulate system files, install persistent backdoors, access sensitive data, and establish covert communication channels. The vulnerability affects all Windows systems running Acronis True Image 2021 where the service operates with elevated privileges, making it particularly dangerous in enterprise environments where such backup software is commonly deployed. This type of vulnerability aligns with ATT&CK technique T1068 Privilege Escalation through exploitation of service configuration weaknesses and path manipulation.
Mitigation strategies for CVE-2020-10139 require immediate remediation through official vendor patches that address the OpenSSL directory handling behavior. System administrators should implement the principle of least privilege by restricting write access to system root directories and monitoring for unauthorized directory creation. The Windows Defender Application Control or similar application whitelisting solutions can help prevent execution of unauthorized code in the targeted paths. Additionally, regular security audits should verify that no symbolic links exist in critical system paths and that OpenSSL configurations are properly validated against known good baselines. Organizations should also consider implementing network segmentation and monitoring for suspicious file creation patterns in system directories, as this vulnerability typically requires local access for exploitation but can result in complete system compromise once successful.