CVE-2020-16171

An issue was discovered in Acronis Cyber Backup before 12.5 Build 16342. Some API endpoints on port 9877 under /api/ams/ accept an additional custom Shard header. The value of this header is afterwards used in a separate web request issued by the application itself. This can be abused to conduct SSRF attacks against otherwise unreachable Acronis services that are bound to localhost such as the NotificationService on 127.0.0.1:30572.
SSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 92%
VendorProductVersion
acroniscyber_backup
𝑥
≤ 12.5
acroniscyber_backup
12.5
acroniscyber_backup
12.5:10130
acroniscyber_backup
12.5:10330
acroniscyber_backup
12.5:11010
acroniscyber_backup
12.5:13160
acroniscyber_backup
12.5:13400
acroniscyber_backup
12.5:14280
acroniscyber_backup
12.5:14330
acroniscyber_backup
12.5:16180
acroniscyber_backup
12.5:16318
acroniscyber_backup
12.5:16327
acroniscyber_backup
12.5:7641
acroniscyber_backup
12.5:7970
acroniscyber_backup
12.5:8850
acroniscyber_backup
12.5:9010
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://seclists.org/fulldisclosure/2020/Sep/33
https://www.rcesecurity.com/2020/09/CVE-2020-16171-Exploiting-Acronis-Cyber-Backup-for-Fun-and-Emails/
http://seclists.org/fulldisclosure/2020/Sep/33
https://www.rcesecurity.com/2020/09/CVE-2020-16171-Exploiting-Acronis-Cyber-Backup-for-Fun-and-Emails/