CVE-2020-10139

Name of the Vulnerable Software and Affected Versions Acronis True Image version 2021

Description The issue concerns an OpenSSL component in Acronis True Image 2021, where the OPENSSLDIR variable is specified as a subdirectory within C:jenkins agent. This component is used by a privileged service within Acronis True Image. An unprivileged Windows user can create subdirectories off the system root, potentially allowing the creation of a specially-crafted openssl.cnf file. This could lead to arbitrary code execution with SYSTEM privileges.

Recommendations For Acronis True Image version 2021, consider restricting access to the system root to prevent unprivileged users from creating subdirectories that could be used to exploit this issue. As a temporary workaround, restrict the use of the OpenSSL component until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.