CVE-2021-47822
📋 TL;DR
DiskBoss Service 12.2.18 has an unquoted service path vulnerability that allows local attackers to execute arbitrary code with SYSTEM privileges. Attackers can place malicious executables in path locations to gain complete system control during service startup. This affects all systems running the vulnerable DiskBoss Service version.
💻 Affected Systems
- DiskBoss Service
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, allowing installation of persistent malware, credential theft, and lateral movement across the network.
Likely Case
Local privilege escalation to SYSTEM, enabling attackers to install backdoors, disable security controls, and access sensitive system resources.
If Mitigated
Limited impact if proper access controls prevent local users from writing to system directories and service paths are properly monitored.
🎯 Exploit Status
Exploitation requires local access to the system and ability to write to directories in the service path. Public exploit code is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.diskboss.com
Restart Required: Yes
Instructions:
1. Check vendor website for updated version. 2. If available, download and install updated version. 3. Restart the DiskBoss Service. 4. Verify the service path is properly quoted in Windows Services.
🔧 Temporary Workarounds
Manually Quote Service Path
windowsManually edit the service path in Windows Services to include quotes around the executable path
sc config "DiskBoss Service" binPath= "\"C:\Program Files\DiskBoss\diskbsa.exe\""
sc stop "DiskBoss Service"
sc start "DiskBoss Service"
Restrict Directory Permissions
windowsRemove write permissions for non-administrative users on directories in the service path
icacls "C:\Program Files\DiskBoss" /deny Users:(OI)(CI)W
icacls "C:\Program Files" /deny Users:(OI)(CI)W
🧯 If You Can't Patch
- Disable or uninstall DiskBoss Service if not required
- Implement strict access controls to prevent local users from writing to system directories
🔍 How to Verify
Check if Vulnerable:
Open Windows Services (services.msc), find DiskBoss Service, check Properties, and examine the Path to executable. If the path contains spaces and is not enclosed in quotes, the system is vulnerable.Check Version:
Check the DiskBoss Service executable properties or registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\UninstallVerify Fix Applied:
Verify the service path in Windows Services is properly quoted and check that non-admin users cannot write to directories in the service path.📡 Detection & Monitoring
Log Indicators:
- Unexpected service restarts of DiskBoss Service
- Creation of executable files in DiskBoss installation directory by non-admin users
- Windows Event ID 7045 (Service installed) with suspicious paths
Network Indicators:
- Unusual outbound connections from DiskBoss Service process
SIEM Query:
source="Windows Security" EventID=4688 AND NewProcessName="*diskbsa.exe" AND SubjectUserName!="SYSTEM"