automatic module_metadata_base.json update

rapid7 · Nov 27, 2024 · 07ce1aa · 07ce1aa
1 parent 7de3d11
commit 07ce1aa
Showing 1 changed file with 64 additions and 0 deletions.
diff --git a/db/modules_metadata_base.json b/db/modules_metadata_base.json
@@ -19473,6 +19473,70 @@
 
     ]
   },
+  "auxiliary_gather/acronis_cyber_protect_machine_info_disclosure": {
+    "name": "Acronis Cyber Protect/Backup machine info disclosure",
+    "fullname": "auxiliary/gather/acronis_cyber_protect_machine_info_disclosure",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "h00die-gr3y <h00die.gr3y@gmail.com>",
+      "Sandro Tolksdorf of usd AG."
+    ],
+    "description": "Acronis Cyber Protect or Backup is an enterprise backup/recovery solution for all,\n          compute, storage and application resources. Businesses and Service Providers are using it\n          to protect and backup all IT assets in their IT environment.\n          This module exploits an authentication bypass vulnerability at the Acronis Cyber Protect\n          appliance which, in its default configuration, allows the anonymous registration of new\n          backup/protection agents on new endpoints. This API endpoint also generates bearer tokens\n          which the agent then uses to authenticate to the appliance.\n          As the management web console is running on the same port as the API for the agents, this\n          bearer token is also valid for any actions on the web console. This allows an attacker\n          with network access to the appliance to start the registration of a new agent, retrieve\n          a bearer token that provides admin access to the available functions in the web console.\n\n          This module will gather all machine info (endpoints) configured and managed by the appliance.\n          This information can be used in a subsequent attack that exploits this vulnerability to\n          execute arbitrary commands on both the managed endpoint and the appliance.\n          This exploit is covered in another module `exploit/multi/acronis_cyber_protect_unauth_rce_cve_2022_3405`.\n\n          Acronis Cyber Protect 15 (Windows, Linux) before build 29486 and\n          Acronis Cyber Backup 12.5 (Windows, Linux) before build 16545 are vulnerable.",
+    "references": [
+      "CVE-2022-30995",
+      "CVE-2022-3405",
+      "URL-https://herolab.usd.de/security-advisories/usd-2022-0008/",
+      "URL-https://attackerkb.com/topics/27RudJXbN4/cve-2022-30995"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 9877,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2024-11-26 16:10:14 +0000",
+    "path": "/modules/auxiliary/gather/acronis_cyber_protect_machine_info_disclosure.rb",
+    "is_install_path": true,
+    "ref_name": "gather/acronis_cyber_protect_machine_info_disclosure",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
   "auxiliary_gather/adobe_coldfusion_fileread_cve_2023_26360": {
     "name": "Adobe ColdFusion Unauthenticated Arbitrary File Read",
     "fullname": "auxiliary/gather/adobe_coldfusion_fileread_cve_2023_26360",