Skip to main content

security issues at login and password recovery

Thread needs solution
Beginner
Posts: 2
Comments: 5

Hello, I have this situation:
1- I cleaned up all browser cache on Internet Explorer 11.0.9600
2- I successfully do login without being asked to enter password -> first security issue -> I did logout
3- I succesfully login again to the Acronis Backup 4 Vmware appliance "A" (build 9.2.10535) using password X
4- I open a second browser session pointing to an identical Acronis V-app "B" located on another subnet and succesfully did login without being asked to enter password -> second security issue. It seems that browser assumes that v-app "A" and "B" has the same user "admin" password.
5- I tried to change admin password using password A on machine B, but I received error about "wrong old password" -> but then why I can entered at point 4 if password was different between "A" and "B"
???
6- I have written down the passwords of "A" and "B" on a file, so it seems I can't did mistakes, but now i can't login directly on machine "B" nor change the admin's password, I need to do this operation. It seems admin password has been corrupted on vm "B". I don't want to reinstall vm "B" from scratch.
I put in attachment a video showing my issue.
Thanks for help

Best Regards.

Attachment Size
screencapture_11-09-2015_10.49.45.zip 3.67 MB
0 Users found this helpful
Acronis Program Manager
Posts: 22
Comments: 3098

Hi,

By default the appliance can be accessed with admin/root (login/pass) credentials. These credentials are tried automatically when you open the appliance web console and there is an exclamation mark against the login name (admin) if the password has not been changed from the default one which is always recommended for security purposes.

If you have changed the password then once you log into appliance successfully this session is kept alive on the server (on appliance side) for pre-defined time which can be configured in /etc/Acronis/vmProtect.config file under WCS section (timeout is defined in seconds):

value name="AccessPointLifeTime" type="Tdword"
"300"
/value

Hint: you can change this value to lower one by connecting to appliance via WinSCP and editing the vmProtect.config file (see troubleshooting section of https://kb.acronis.com/content/36100 KB for WinSCP connection instructions)

This time starts counting after you close the tab where web console is opened or close the entire Internet browser. During this time all new web console connection sessions started in the same browser on the same machine (which had been authenticated successfully) will not be asked for password. Note that if you try to open web console in different browser from the same machine then the password will be asked.

On the video I can see that 192.168.10.37 appliance is running on default password which explains why you couldn't change the password - there were more than 4 symbols typed there. The 192.168.1.15 appliance has new password applied. You should try logging into 192.168.10.37 appliance using default username/password (admin/root).

Thank you.
--
Best regards,
Vasily
Acronis Virtualization Program Manager