The Acronis True Image disk back-up utility program checks for and retrieves updates over unprotected HTTP channels, the CERT/CC warned on Monday.
The Acronis True Image disk back-up utility program checks for and retrieves updates over unprotected HTTP channels, the CERT/CC warned on Monday.

The disk back-up utility software Acronis True Image is susceptible to arbitrary code execution attacks because it does not perform update operations securely, according to a new vulnerability advisory published on Monday.

The advisory, issued by the CERT Coordination Center (CERT/CC) at Carnegie Mellon University's Software Engineering Institute, warns that versions 2017 Build 8053 and earlier of the Acronis product for Windows and Mac checks for and retrieves updates over unprotected HTTP channels. "Downloaded updates are not validated beyond verifying the server-provided MD5 hash," the advisory states.

Consequently, unauthorized attackers who are on the same network as the Acronis product, or who can affect network traffic from a True Image user, can exploit this vulnerability – officially designated CVE-2017-3219 – to make the update process execute arbitrary code with system administrator privileges, the advisory explains.

In an email, an Acronis spokesperson told SC Media that the company "immediately fixed the vulnerability, prepared a patch for our newest update, and are currently notifying users of the issue," urging them to apply the patch even through the threat is "considered low-risk since multiple, rare occurrences would need to happen in order for someone to exploit the vulnerability."

Meanwhile, as a workaround, the CERT/CC recommends that users of the utility retrieve all of their updates directly from the Acronis web site, using their web browser. It also suggests avoiding public WiFi and other untrusted networks.

Update 6/21: SC Media updated the story to include comments from Acronis.