This article applies to:
- Acronis Mobility products: Acronis Cyber Files, Acronis MassTransit and Acronis Files Connect
- POODLE SSL 3.0 Vulnerability (CVE-2014-3566), which affects all implementations of SSL 3.0.
There are two components in a typical installation: the MT Server and the IIS web server.
MT Server is not vulnerable to POODLE as long as the TCP/IP Secure incoming call configuration has the "Legacy SSLv2/3" support checkbox OFF (when it is OFF, we only use TLSv1):
For MT Web, you need to modify the IIS configuration to reject SSLv3 connections as described in this Microsoft Technet article:
You can disable support for the SSL 3.0 protocol on Windows by following these steps:
- Click Start, click Run, type regedt32 or type regedit, and then click OK.
- In Registry Editor, locate the following registry key:
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Server
Note: If the complete registry key path does not exist, you can create it by expanding the available keys and using the New -> Key option from the Edit menu.
- On the Edit menu, click Add Value.
- In the Data Type list, click DWORD.
- In the Value Name box, type Enabled, and then click OK.
Note: If this value is present, double-click the value to edit its current value.
- Type 00000000 in Binary Editor to set the value of the new key equal to "0".
- Click OK. Restart the computer.
Note: This workaround will disable SSL 3.0 for all server software installed on a system, including IIS.
Note: After applying this workaround, clients that rely only on SSL 3.0 will not be able to communicate with the server.
Acronis Cyber Files
There are two components that need mitigation: the Access Tomcat and the Access Gateway.
The Access Tomcat server uses the Apache Portable Runtime (APR) for handling SSL connections. APR is built using OpenSSL. Until a new version of APR is available that has the fix in OpenSSL integrated, the solution is to disable support for SSLv3 in the Tomcat file server.xml configuration file and restart the Access Tomcat service.
The specific change is to add SSLProtocol="TLSv1" to the Connector section of the XML file. Below is an example of where the change can be plugged in. Do not replace the whole block of text -- there are other settings that are specific to your server:
SSLCertificateFile="***Access certificate file***"
SSLCertificateKeyFile="***Access key file***"
SSLCertificateChainFile="***Access chain file***" port="443"
The Access Gateway uses the built-in Windows HTTPS server. Until Microsoft issues a security patch with a fix, the solution is to disable SSLv3 support in the Windows operating system as described by Microsoft in this Microsoft Technet article (see: Disable SSL 3.0 in Windows).
On Windows Server 2008 R2 machines, you will also have to do the following:
- Open the registry editor and find: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0
- Right-click on the SSL 2.0 folder and select New and then click Key. Name the new folder Server.
- Inside the Server folder, click the Edit menu, select New, and click DWORD (32-bit) Value.
- Enter Enabled as the name and hit Enter. Ensure that it shows 0x00000000 (0) under the Data column (it should by default). If it doesn't, right-click and select Modify and enter 0 as the Value data.
Acronis Files Connect
Is not vulnerable since it does not use HTTPS.