Unauthenticated web security vulnerability resolved

UPDATED A serious security vulnerability affecting Acronis Cyber Backup might have allowed attackers to send spoofed emails containing malicious attachments under of the guise of backup failure notifications.

The issue, discovered by security researcher Julien Ahrens of RCE Security, stemmed from a server-side request forgery (SSRF) vulnerability in the web-facing components of the data backup technology.

In a detailed technical write-up, Ahrens explains how an unauthenticated SSRF in Acronis Cyber Backup had a severe application logic impact.

The recently resolved flaw allowed an attacker to send fully customizable emails to any recipient by “abusing a web service that is bound to localhost”, Ahrens explains.

RECOMMENDED Databases, cloud storage, and more at risk from exposed access keys

“The fun thing about this issue is that the emails can be sent as backup indicators, including fully customizable attachments,” he added.

“Imagine sending Acronis ‘Backup Failed’ emails to the whole organization with a nice backdoor attached to it?”

Ahrens reported the issue to Acronis, which resolved the issue. Users need to upgrade to Acronis Cyber Backup up to v12.5 Build 16341 or later to avoid potential problems.

In its release notes last week, Acronis acknowledged Ahrens for discovering “security vulnerability that allows attackers to send HTTP requests in the local network via Acronis Management Server”.

Ahrens uncovered the vulnerability using source code review and without needing to obtain the product for testing himself.

Ahrens told The Daily Swig that the main lesson other developers should take from the incident is to avoid using "localhost binding as your sole authorization concept".

The security researcher did not report the vulnerability through Acronis' official bug bounty program, so he received no reward for his finding.

The Daily Swig has submitted follow-up questions to Acronis. We’ll update this story as and when more information comes to hand.

This story was updated to include comments from the security researcher, Julien Ahrens.

READ MORE Vulnerability in WordPress email marketing plugin patched