60856: Acronis Backup 11.7, Acronis Backup 12.5, Acronis True Image: Spectre and Meltdown vulnerabilities

Also read in:

use Google Translate

Acronis True Image (any version) and Acronis Backup versions 11.7 and 12.5 are not directly affected by Meltdown or Spectre.

Introduction

Acronis will continue to monitor the vulnerabilities. This article will be updated with new information if such arises.

CVE-2017-5753, CVE-2017-5715, CVE-2017-5754 - also known as Meltdown and Spectre - exploit critical vulnerabilities in modern processors. Meltdown and Spectre work on personal computers, mobile devices, servers and in the cloud. These hardware vulnerabilities allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of information stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, emails, instant messages and even business-critical documents.

Is Acronis Backup or Acronis True Image affected?

Most of Acronis Backup components are not directly affected by Meltdown or Spectre as it operates on a higher application layer. However, when Acronis Backup is installed on the Windows Server, Windows Desktop, Mac OS X and Linux operating systems, which are vulnerable, then the latest security patches should be applied. The same statements also apply to any version of Acronis True Image.

The exceptions from the above rule are "Agent for VMware (Virtual Appliance)" (for both 11.7 and 12.5 versions) and "All-In-One Appliance" (introduced in 12.5 Update 2) components of Acronis Backup which run on Linux OS customized by Acronis. We have analyzed potential risks introduced by Meltdown and Spectre vulnerabilities for these components and we conclude that these vulnerabilities do not add any significant risks for Acronis customers and their data, due to the fact that only code provided by Acronis runs within these components.

However to mitigate even these minimal risks we still plan to apply security patches for Linux OS used in these systems in the upcoming updates.

We highly recommend that you install all the latest versions of your operating system(s), browsers and virtualization software, e.g. virtualization hosts (VMware vSphere ESXi hosts for example) to keep your deployment safe.

Security Patches

Microsoft:

Windows 10, 8.1 and 7 -  https://support.microsoft.com/en-us/help/4056892/windows-10-update-kb405.... For more information - https://support.microsoft.com/en-us/help/4073119/protect-against-specula...

Edge and Internet Explorer 11 browsers - https://blogs.windows.com/msedgedev/2018/01/03/speculative-execution-mit...

Windows Server (different versions) - https://support.microsoft.com/en-us/help/4072698/windows-server-guidance...

Linux:

Refer to your Linux distribution update repository to update the kernel version. For more information - see http://www.kroah.com/log/blog/2018/01/06/meltdown-status/

Apple:

macOS High SierraSafari and iOS 11.2 - https://support.apple.com/en-us/HT208394

Google:

Android - https://source.android.com/security/bulletin/2018-01-01

Chrome - https://www.chromium.org/Home/chromium-security/ssca

Others:

Firefox - https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-cla...

Known Issues

Some of the Operating System security patches are known to cause issues with Anti-Virus software and older AMD processors. Please consult your vendor's recommendations before applying any patches.

Tags: