CVE-2023-2355
📋 TL;DR
This CVE describes a DLL hijacking vulnerability in Acronis Snap Deploy for Windows that allows local attackers to escalate privileges. Attackers can place malicious DLLs in directories where the application searches, leading to arbitrary code execution with elevated permissions. Only Windows systems running vulnerable versions of Acronis Snap Deploy are affected.
💻 Affected Systems
- Acronis Snap Deploy
📦 What is this software?
Snap Deploy by Acronis
Snap Deploy by Acronis
Snap Deploy by Acronis
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise where an attacker gains SYSTEM/administrator privileges, enabling complete control over the affected system, data theft, persistence mechanisms, and lateral movement capabilities.
Likely Case
Local privilege escalation from a standard user account to administrator/SYSTEM level, allowing installation of malware, disabling security controls, and accessing sensitive system resources.
If Mitigated
Limited impact if proper access controls prevent unauthorized users from writing to application directories and if endpoint protection blocks suspicious DLL loading behavior.
🎯 Exploit Status
DLL hijacking is a well-known attack technique. While no public proof-of-concept exists for this specific CVE, the exploitation method is straightforward for attackers with local access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Build 3900 or later
Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-4048
Restart Required: Yes
Instructions:
1. Download the latest version of Acronis Snap Deploy (build 3900 or later) from the official Acronis website. 2. Run the installer to update the application. 3. Restart the system to ensure all components are properly loaded with the fixed version.
🔧 Temporary Workarounds
Restrict write permissions to application directories
windowsPrevent non-administrative users from writing DLL files to directories where Acronis Snap Deploy searches for libraries
icacls "C:\Program Files\Acronis\SnapDeploy\" /deny Users:(OI)(CI)W
icacls "C:\Program Files (x86)\Acronis\SnapDeploy\" /deny Users:(OI)(CI)W
Enable DLL Safe Search Mode
windowsConfigure Windows to use SafeDllSearchMode to prevent DLL hijacking attacks
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v SafeDllSearchMode /t REG_DWORD /d 1 /f
🧯 If You Can't Patch
- Remove Acronis Snap Deploy from systems where it's not essential for operations
- Implement strict access controls to prevent non-administrative users from running the application or writing to its directories
🔍 How to Verify
Check if Vulnerable:
Check the Acronis Snap Deploy version in the application's About dialog or by examining the installed program version in Control Panel > Programs and FeaturesCheck Version:
wmic product where "name like 'Acronis Snap Deploy%'" get versionVerify Fix Applied:
Verify the installed version is build 3900 or higher, and test that the application functions normally after the update📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing DLL loading from unexpected locations (Event ID 7 in Microsoft-Windows-Diagnostics-Performance)
- Acronis application logs showing abnormal behavior or crashes
Network Indicators:
- No direct network indicators as this is a local attack
SIEM Query:
source="Windows Security" EventID=4688 ProcessName="*SnapDeploy*" OR source="Sysmon" EventID=7 ImageLoaded="*\Acronis\SnapDeploy\*"