Network Security, Patch/Configuration Management, Vulnerability Management

Acronis True Image develops patch, after utility software fails to update securely

The disk back-up utility software Acronis True Image is susceptible to arbitrary code execution attacks because it does not perform update operations securely, according to a new vulnerability advisory published on Monday.

The advisory, issued by the CERT Coordination Center (CERT/CC) at Carnegie Mellon University's Software Engineering Institute, warns that versions 2017 Build 8053 and earlier of the Acronis product for Windows and Mac checks for and retrieves updates over unprotected HTTP channels. "Downloaded updates are not validated beyond verifying the server-provided MD5 hash," the advisory states.

Consequently, unauthorized attackers who are on the same network as the Acronis product, or who can affect network traffic from a True Image user, can exploit this vulnerability – officially designated CVE-2017-3219 – to make the update process execute arbitrary code with system administrator privileges, the advisory explains.

In an email, an Acronis spokesperson told SC Media that the company "immediately fixed the vulnerability, prepared a patch for our newest update, and are currently notifying users of the issue," urging them to apply the patch even through the threat is "considered low-risk since multiple, rare occurrences would need to happen in order for someone to exploit the vulnerability."

Meanwhile, as a workaround, the CERT/CC recommends that users of the utility retrieve all of their updates directly from the Acronis web site, using their web browser. It also suggests avoiding public WiFi and other untrusted networks.

Update 6/21: SC Media updated the story to include comments from Acronis.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.