CVE-2024-8767 - Sensitive Data Disclosure & Manipulation in Acronis Backup Plugins for Web Hosting Panels

Affected products:

Overview

On March 2024, a critical vulnerability tracked as *CVE-2024-8767* was discovered in popular Acronis Backup integrations for web hosting panels including cPanel, Plesk, and DirectAdmin. This bug allows attackers to *disclose* and *alter sensitive data* by abusing unnecessarily high privileges assigned to plugin components.

If you host customer sites or handle backups using any of these plugins (in version listed above), you are at high risk of credential compromise, data leaks, and unauthorized changes to customer backups.

What’s the problem?

Acronis' integration plugins are designed to automate backup tasks for web panels. To do this, they interact with core system tools—and, unfortunately, older versions did this by running some components with root or broad system admin privileges in Linux.

Without proper access controls, an attacker with access to the server (e.g., a low-privileged user or compromised website account) can:

- Access backup files of *other users/accounts*
- Replace/delete/modify backup data not belonging to them

How does the exploit work? (Technical Details)

Vulnerable plugin scripts/processes are owned by root and feature directory or file permissions like 0777 or 0755, making their sensitive (config and backup) data available to a much wider group of users than necessary.

For example, parts of the plugin can execute backup/restore operations as root without verifying if the calling user has permission.

Example scenario

1. Attacker obtains/guesses credentials for a low-privileged panel user or SSH account.
2. The attacker browses plugin directories (like /usr/lib/acronis/ or /opt/acronis/backup/), finds backup files, or configuration files (.conf, .json).

Proof of Concept: Exploiting the Vulnerability

Let's see a simplified code snippet that illustrates the permission flaw.

Dangerous code pattern

# Vulnerable backup script invoked by plugin
#!/bin/bash
# run as root

tar czf /var/acronis/backups/$USER-$(date +%F).tar.gz /home/$USER

# No check if $USER is legitimate
# No check if called by correct user

Because this script runs as root and takes $USER from untrusted input, any regular user can do

# Attacker as user 'attacker'
export USER=root
/path/to/plugin/backup-script.sh

And create a backup of /home/root, disclosing highly sensitive files.

Overly broad file permissions example

# List potentially vulnerable plugin files
ls -l /usr/lib/acronis/backups/

Output

-rw-rw-rw- 1 root root  4096 Apr  1 10:30 admin-backup-2024-04-01.tar.gz

Any user can now read/write this file.

Real-world Attack Impact

- Hosting provider breach: If a panel server serves multiple customers (as is common), any single compromised website or shell account may allow attackers to view/alter all customer backups.
- Credential leaks: Backups often contain .env files, database credentials, SSH keys, site config, and even entire user directories.
- Persistence: Malicious content can be inserted into backups, leading to reinfection upon restoration.
- Server-wide compromise: A determined attacker could replace admin backups with trojanized ones, trigger restore, and escalate privileges.

DirectAdmin plugin: Build 147

Upgrade immediately if running an affected version!

Official Acronis advisory (archived link as example)

1. Check plugin version

# For cPanel
rpm -qi acronis-backup-cpanel
# For Plesk
plesk bin extension --info acronis-backup
# For DirectAdmin
cat /usr/local/directadmin/plugins/acronis-backup/version

If lower than listed fixed build (619, 555, 147), you are *vulnerable*.

2. Inspect permissions (replace paths if different)

find /usr/lib/acronis /opt/acronis -type f -perm /o+r,o+w 2>/dev/null

If you see any sensitive backup/config file readable or writable by "other", you're at risk.

`bash

chmod -R go-rwx /usr/lib/acronis/backup/ /var/acronis/backups/

Harden plugin user execution

Only allow intended users/groups to run backup scripts (replace acronisuser with plugin’s service user):

`bash

chown -R acronisuser:acronisgroup /usr/lib/acronis/backup/

Monitor log files for suspicious plugin usage

After upgrading to a fixed build, verify the vendor has overhauled privilege management and file access in a secure manner.

Stay Updated!

Sign up with your hosting provider, plugin vendor, or the Acronis Security Portal for future notifications.

Reference links:
- Acronis Knowledge Base
- NVD entry for CVE-2024-8767
- Exploit Database: CVE-2024-8767

Recap

*CVE-2024-8767* shows how over-privileged software components, especially in sensitive infrastructure like backups, can seriously expose your operation.

Don’t delay:

Upgrade ASAP if needed

- Remove broad privileges on backup/config files

Regularly audit who can access what

A little early effort now can block a massive data breach or disruptive attack later!

Timeline

Published on: 09/17/2024 09:15:03 UTC
Last modified on: 09/20/2024 12:31:20 UTC