CVE-2022-24286
📋 TL;DR
Acer QuickAccess software contains a local privilege escalation vulnerability where unprivileged users can communicate with a system service via an insecurely configured named pipe. The service executes arbitrary programs with SYSTEM privileges without proper user verification, allowing local attackers to gain full system control. This affects Acer devices running vulnerable versions of QuickAccess software.
💻 Affected Systems
- Acer QuickAccess
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains full SYSTEM privileges, enabling complete system compromise, persistence installation, credential theft, and lateral movement.
Likely Case
Local user or malware elevates privileges to SYSTEM to bypass security controls, install additional malware, or access protected resources.
If Mitigated
With proper endpoint protection and least privilege principles, exploitation attempts would be detected and blocked, limiting impact to isolated systems.
🎯 Exploit Status
Exploitation requires local user access but is straightforward once access is obtained. The named pipe communication mechanism is well-documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.01.3030 or 3.00.3038 and later
Vendor Advisory: https://community.acer.com/en/kb/articles/14762
Restart Required: Yes
Instructions:
1. Open Acer QuickAccess application. 2. Check for updates in settings. 3. Download and install version 2.01.3030 or 3.00.3038. 4. Restart the system. Alternatively, download from Acer support website and install manually.
🔧 Temporary Workarounds
Disable QuickAccess Service
windowsStop and disable the vulnerable QuickAccess service to prevent exploitation.
sc stop "QuickAccess Service"
sc config "QuickAccess Service" start= disabled
Remove Named Pipe Permissions
windowsModify named pipe permissions to restrict access to authorized users only.
icacls "\\.\pipe\QuickAccessPipe" /remove Everyone
icacls "\\.\pipe\QuickAccessPipe" /grant SYSTEM:F
🧯 If You Can't Patch
- Uninstall Acer QuickAccess software completely from affected systems
- Implement application whitelisting to block execution of unauthorized programs via the vulnerable service
🔍 How to Verify
Check if Vulnerable:
Check QuickAccess version in Control Panel > Programs and Features. If version is 2.01.300x (before 2.01.3030) or 3.00.30xx (before 3.00.3038), system is vulnerable.Check Version:
wmic product where "name like 'Acer QuickAccess%'" get versionVerify Fix Applied:
Verify QuickAccess version is 2.01.3030 or higher for v2.x, or 3.00.3038 or higher for v3.x. Check that named pipe \\.\pipe\QuickAccessPipe has restricted permissions.📡 Detection & Monitoring
Log Indicators:
- Event logs showing QuickAccess service executing unexpected processes
- Security logs with privilege escalation events from QuickAccess context
Network Indicators:
- Local named pipe communication attempts to \\.\pipe\QuickAccessPipe from non-privileged users
SIEM Query:
EventID=4688 AND NewProcessName="*QuickAccess*" AND SubjectUserName!=SYSTEM