CVE-2022-30696
📋 TL;DR
This CVE describes a DLL hijacking vulnerability in Acronis Snap Deploy for Windows that allows local attackers to escalate privileges. Attackers can place malicious DLLs in specific directories to execute arbitrary code with elevated permissions. Only Windows systems running vulnerable versions of Acronis Snap Deploy are affected.
💻 Affected Systems
- Acronis Snap Deploy
📦 What is this software?
Snap Deploy by Acronis
Snap Deploy by Acronis
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise where an attacker gains SYSTEM/administrator privileges, enabling complete control over the affected system, data theft, persistence mechanisms, and lateral movement capabilities.
Likely Case
Local privilege escalation from a standard user account to administrator/SYSTEM privileges, allowing installation of malware, modification of system settings, and bypassing security controls.
If Mitigated
Limited impact with proper access controls, application whitelisting, and least privilege principles in place, potentially preventing successful exploitation.
🎯 Exploit Status
DLL hijacking vulnerabilities typically have low exploitation complexity. Requires local access and ability to write files to specific directories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Build 3640 or later
Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-3081
Restart Required: Yes
Instructions:
1. Download the latest version of Acronis Snap Deploy from the official Acronis website. 2. Run the installer to update to build 3640 or later. 3. Restart the system to ensure all changes take effect.
🔧 Temporary Workarounds
Restrict write permissions to application directories
windowsPrevent non-administrative users from writing to directories where Acronis Snap Deploy searches for DLLs
icacls "C:\Program Files\Acronis\SnapDeploy\" /deny Users:(OI)(CI)W
icacls "C:\Program Files (x86)\Acronis\SnapDeploy\" /deny Users:(OI)(CI)W
Enable DLL Safe Search Mode
windowsConfigure Windows to search for DLLs only in secure locations
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager" -Name "SafeDllSearchMode" -Value 1
🧯 If You Can't Patch
- Remove Acronis Snap Deploy from systems where it's not essential
- Implement strict application control policies to prevent unauthorized DLL loading
- Monitor for suspicious DLL loading events using Windows Event Logs or EDR solutions
🔍 How to Verify
Check if Vulnerable:
Check the Acronis Snap Deploy version in the application's About dialog or by examining the installed program version in Control Panel > Programs and Features.Check Version:
wmic product where "name like 'Acronis Snap Deploy%'" get versionVerify Fix Applied:
Verify the installed version is build 3640 or later. Check that the vulnerable DLL loading behavior has been corrected by the vendor.📡 Detection & Monitoring
Log Indicators:
- Windows Event ID 4688 (Process Creation) showing Acronis processes loading DLLs from unusual locations
- Sysmon Event ID 7 (Image loaded) showing DLLs loaded from user-writable directories by Acronis processes
Network Indicators:
- No network indicators as this is a local privilege escalation vulnerability
SIEM Query:
source="Windows Security" EventID=4688 AND (ProcessName="*Acronis*" OR ParentProcessName="*Acronis*") AND CommandLine="*dll*"