id: CVE-2023-45249

info:
  name: Acronis Cyber Infrastructure - Default Password
  author: darses
  severity: critical
  description: |
    Acronis Cyber Infrastructure (ACI) before build 5.0.1-61, 5.1.1-71, 5.2.1-69, 5.3.1-53, and 5.4.4-132 contain a remote command execution caused by use of default passwords, letting attackers execute arbitrary commands remotely, exploit requires access to the system with default credentials.
  impact: |
    Attackers can execute arbitrary commands remotely, potentially leading to full system compromise.
  remediation: |
    Change default passwords and update to the latest version.
  reference:
    - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/acronis_cyber_infra_cve_2023_45249.rb
    - https://security-advisory.acronis.com/advisories/SEC-6452
    - https://security-advisory.acronis.com/updates/UPD-2310-9e7e-bd9b
    - https://www.securityweek.com/acronis-product-vulnerability-exploited-in-the-wild/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-45249
    cwe-id: CWE-1393,CWE-287
    epss-score: 0.9348
    epss-percentile: 0.99829
    cpe: cpe:2.3:a:acronis:cyber_infrastructure:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    vendor: acronis
    product: cyber_infrastructure
    censys-query: services.http.response.html_title:"Acronis Cyber Infrastructure" and services.port:6432
    max-requests: 1
  tags: cve,cve2023,kev,acronis,network,js,postgresql,default-login,vkev,vuln

javascript:
  - pre-condition: |
      isPortOpen(Host,Port);

    code: |
      const postgres = require('nuclei/postgres');
      const client = new postgres.PGClient;
      connected =  client.ExecuteQuery(Host, Port, User, Pass, Db, "SELECT release_notes_url FROM software_info");
      Export(connected);

    args:
      Host: "{{Host}}"
      Port: 6432

      User: "vstoradmin"
      Pass: "vstoradmin"
      Db: "vstoradmin"

    matchers:
      - type: dsl
        dsl:
          - "success == true"
          - "contains_all(response, 'release_notes_url','http://download.acronis.com/vstorage/')"
        condition: and
# digest: 4b0a004830460221008463f6601c36a1de5647abd32281ba6529c6dd0c957c1d4782dd7ce932048444022100a5e372edfa1d477083500afaaf2c6afd94db648897c4804f343cfd66e41fa16b:922c64590222798bb761d5b6d8e72950