CVE-2020-9452 - OpenCVE

An issue was discovered in Acronis True Image 2020 24.5.22510. anti_ransomware_service.exe includes functionality to quarantine files by copying a suspected ransomware file from one directory to another using SYSTEM privileges. Because unprivileged users have write permissions in the quarantine folder, it is possible to control this privileged write with a hardlink. This means that an unprivileged user can write/overwrite arbitrary files in arbitrary folders. Escalating privileges to SYSTEM is trivial with arbitrary writes. While the quarantine feature is not enabled by default, it can be forced to copy the file to the quarantine by communicating with anti_ransomware_service.exe through its REST API.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:L/AC:L/Au:N/C:C/I:C/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Acronis	True Image 2020

Configuration 1 [-]

cpe:2.3:a:acronis:true_image_2020:24.5.22510:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://danishcyberdefence.dk/blog
https://madsjoensen.dk/cve-2020-9452/
https://www.acronis.com

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-05-25T11:21:58

Updated: 2024-08-04T10:26:16.212Z

Reserved: 2020-02-28T00:00:00

Link: CVE-2020-9452

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-05-25T12:15:07.833

Modified: 2022-07-12T17:42:04.277

Link: CVE-2020-9452

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Acronis True Image 2020 24.5.22510. anti_ransomware_service.exe includes functionality to quarantine files by copying a suspected ransomware file from one directory to another using SYSTEM privileges. Because unprivileged users have write permissions in the quarantine folder, it is possible to control this privileged write with a hardlink. This means that an unprivileged user can write/overwrite arbitrary files in arbitrary folders. Escalating privileges to SYSTEM is trivial with arbitrary writes. While the quarantine feature is not enabled by default, it can be forced to copy the file to the quarantine by communicating with anti_ransomware_service.exe through its REST API."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-05-25T11:21:58", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.acronis.com"}, {"tags": ["x_refsource_MISC"], "url": "https://danishcyberdefence.dk/blog"}, {"tags": ["x_refsource_MISC"], "url": "https://madsjoensen.dk/cve-2020-9452/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-9452", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in Acronis True Image 2020 24.5.22510. anti_ransomware_service.exe includes functionality to quarantine files by copying a suspected ransomware file from one directory to another using SYSTEM privileges. Because unprivileged users have write permissions in the quarantine folder, it is possible to control this privileged write with a hardlink. This means that an unprivileged user can write/overwrite arbitrary files in arbitrary folders. Escalating privileges to SYSTEM is trivial with arbitrary writes. While the quarantine feature is not enabled by default, it can be forced to copy the file to the quarantine by communicating with anti_ransomware_service.exe through its REST API."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.acronis.com", "refsource": "MISC", "url": "https://www.acronis.com"}, {"name": "https://danishcyberdefence.dk/blog", "refsource": "MISC", "url": "https://danishcyberdefence.dk/blog"}, {"name": "https://madsjoensen.dk/cve-2020-9452/", "refsource": "MISC", "url": "https://madsjoensen.dk/cve-2020-9452/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T10:26:16.212Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.acronis.com"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://danishcyberdefence.dk/blog"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://madsjoensen.dk/cve-2020-9452/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-9452", "datePublished": "2021-05-25T11:21:58", "dateReserved": "2020-02-28T00:00:00", "dateUpdated": "2024-08-04T10:26:16.212Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:acronis:true_image_2020:24.5.22510:*:*:*:*:*:*:*", "matchCriteriaId": "5098DA80-2939-413C-AC35-A0D3A455CA28", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Acronis True Image 2020 24.5.22510. anti_ransomware_service.exe includes functionality to quarantine files by copying a suspected ransomware file from one directory to another using SYSTEM privileges. Because unprivileged users have write permissions in the quarantine folder, it is possible to control this privileged write with a hardlink. This means that an unprivileged user can write/overwrite arbitrary files in arbitrary folders. Escalating privileges to SYSTEM is trivial with arbitrary writes. While the quarantine feature is not enabled by default, it can be forced to copy the file to the quarantine by communicating with anti_ransomware_service.exe through its REST API."}, {"lang": "es", "value": "Se detect\u00f3 un problema en Acronis True Image 2020 versiones 24.5.22510. El archivo anti_ransomware_service.exe incluye la funcionalidad para poner en cuarentena archivos al copiar un archivo sospechoso de ransomware de un directorio a otro usando privilegios SYSTEM. Debido a que usuarios no privilegiados presentan permisos de escritura en la carpeta de cuarentena, es posible controlar esta escritura privilegiada con un enlace f\u00edsico. Esto significa para un usuario no privilegiado poder escribir o sobrescribir archivos arbitrarios en carpetas arbitrarias. Escalar privilegios a SYSTEM es trivial con escrituras arbitrarias. Si bien la funcionalidad quarantine no est\u00e1 habilitada por defecto, puede ser forzado a copiar el archivo a la cuarentena comunic\u00e1ndose con anti_ransomware_service.exe por medio de su API REST"}], "id": "CVE-2020-9452", "lastModified": "2022-07-12T17:42:04.277", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-05-25T12:15:07.833", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://danishcyberdefence.dk/blog"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://madsjoensen.dk/cve-2020-9452/"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.acronis.com"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-59"}], "source": "nvd@nist.gov", "type": "Primary"}]}