CVE-2020-9450 in True Image
Summary
by MITRE • 05/25/2021
An issue was discovered in Acronis True Image 2020 24.5.22510. anti_ransomware_service.exe exposes a REST API that can be used by everyone, even unprivileged users. This API is used to communicate from the GUI to anti_ransomware_service.exe. This can be exploited to add an arbitrary malicious executable to the whitelist, or even exclude an entire drive from being monitored by anti_ransomware_service.exe.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/29/2021
The vulnerability identified as CVE-2020-9450 represents a critical security flaw in Acronis True Image 2020 version 24.5.22510 where the anti_ransomware_service.exe component exposes a REST API without proper authentication mechanisms. This design flaw allows any unprivileged user on the system to interact with the service through the exposed interface, fundamentally undermining the security model of the anti-ransomware protection system. The REST API serves as a communication channel between the graphical user interface and the core anti-ransomware service, creating an attack surface that should have been restricted to authorized administrative access only. This exposure creates a dangerous privilege escalation scenario where malicious actors can manipulate the security configuration of the system without requiring elevated privileges.
The technical implementation of this vulnerability stems from improper access control mechanisms within the anti_ransomware_service.exe process. The service fails to validate user credentials or enforce proper authorization checks before processing API requests, allowing arbitrary users to submit commands that modify the security configuration. The exposed API enables two primary malicious actions: adding arbitrary executable files to the whitelist, which would bypass all anti-ransomware monitoring for those binaries, and excluding entire storage drives from protection monitoring. These capabilities directly violate the fundamental security principles of endpoint protection systems and create a pathway for persistent malware execution. The vulnerability maps to CWE-284 Access Control, specifically the weakness of inadequate access control enforcement in service components.
The operational impact of this vulnerability extends beyond simple privilege escalation to encompass complete compromise of the anti-ransomware protection mechanism. An attacker with basic user privileges can effectively disable critical security controls, rendering the system vulnerable to ransomware attacks while maintaining operational stealth. The ability to whitelist malicious executables means that even sophisticated malware could bypass all monitoring and protection measures, while drive exclusion capabilities could prevent detection of file encryption activities across entire storage volumes. This vulnerability essentially provides a backdoor into the security architecture that could be exploited by threat actors to establish persistent presence on systems while evading detection mechanisms. The implications align with ATT&CK technique T1059 Command and Scripting Interpreter and T1068 Exploitation for Privilege Escalation, as it enables unauthorized code execution and privilege elevation through service manipulation.
Mitigation strategies for this vulnerability require immediate implementation of access control restrictions on the exposed REST API endpoints. System administrators should ensure that only authorized users and processes can communicate with the anti_ransomware_service.exe component, implementing proper authentication and authorization checks. The recommended approach includes applying the vendor-provided security patches or updates that address the access control deficiencies. Organizations should also consider implementing network segmentation and monitoring to detect unauthorized API access attempts. Additionally, security teams should conduct comprehensive assessments of all exposed services and APIs within endpoint protection systems to identify similar access control weaknesses. The vulnerability underscores the importance of secure coding practices and proper privilege separation in security-critical components, particularly those handling system-level protection mechanisms. Regular security audits and penetration testing of security software components are essential to prevent similar exposure scenarios in enterprise environments.