CVE-2023-45249 Scanner

Acronis Cyber Infrastructure (ACI) is a comprehensive platform designed to deliver enterprise-grade hyper-converged infrastructure (HCI) solutions. It is used globally by IT administrators and system managers to manage and store data securely and efficiently. The software is geared towards ensuring data protection, disaster recovery, and software-defined infrastructure services. Aimed at enterprise-level deployments, ACI is regarded for its scalability and resilience. It is favored in various sectors such as education, finance, and technology for its robust data management capabilities. Acronis Cyber Infrastructure's primary function is to streamline and secure virtualized environments and data storage solutions.

The vulnerability in question is a Remote Code Execution (RCE) stemming from the use of default credentials in Acronis Cyber Infrastructure. This vulnerability is critical as it allows unauthorized users to execute arbitrary commands remotely. It specifically impacts users who haven't changed the default passwords set by Acronis. The flaw exists in various builds including versions prior to build 5.0.1-61, 5.1.1-71, 5.2.1-69, 5.3.1-53, and 5.4.4-132. Attackers exploiting this flaw can potentially compromise the entire system. The underlying issue is associated with insecure practices in credential management, highlighting a significant risk in system security.

The vulnerability is technically linked to the default settings in the Acronis infrastructure, which allow access using a standard username and password. This scenario provides an entry point for executing arbitrary commands if default credentials are not changed. The PostgreSQL database used within the system is the vulnerable endpoint, especially due to the reliance on default user credentials like 'vstoradmin'. Attackers can exploit this by sending remote commands to the system via an open port. This can lead to unauthorized data access and manipulation. Affected systems are susceptible to exploitation unless they are updated or reconfigured to disable default credentials.

Exploitation of this vulnerability can have severe consequences, potentially leading to a system-wide compromise. Attackers can gain full control over the affected infrastructure, allowing them to delete, modify, or exfiltrate sensitive data. In addition, malicious actors can deploy further attacks such as data breaches or in-depth network infiltrations leveraging the compromised system. The organization's integrity and confidentiality are jeopardized, possibly resulting in financial losses, reputational damage, and operational disruption. Remediation is essential to prevent unauthorized access and control over the Acronis infrastructure.

REFERENCES

• https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/acronis_cyber_infra_cve_2023_45249.rb
• https://security-advisory.acronis.com/advisories/SEC-6452
• https://security-advisory.acronis.com/updates/UPD-2310-9e7e-bd9b
• https://www.securityweek.com/acronis-product-vulnerability-exploited-in-the-wild/