CVE-2023-27347
📋 TL;DR
This vulnerability in G DATA Total Security allows local attackers to escalate privileges from low-privileged user accounts to SYSTEM level by exploiting symbolic link handling in the G DATA Backup Service. Attackers must first gain execution capability on the target system. Only installations of G DATA Total Security with the vulnerable Backup Service component are affected.
💻 Affected Systems
- G DATA Total Security
📦 What is this software?
Total Security by Gdata Software
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling installation of persistent malware, credential theft, and lateral movement across the network.
Likely Case
Local privilege escalation allowing attackers to bypass security controls, install additional malware, and maintain persistence on compromised systems.
If Mitigated
Limited impact if proper endpoint protection, least privilege principles, and application control are implemented to prevent initial low-privileged code execution.
🎯 Exploit Status
Requires local access and ability to execute low-privileged code first. Symbolic link manipulation is a well-known technique for privilege escalation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check G DATA updates for version addressing ZDI-CAN-18749
Vendor Advisory: https://www.gdatasoftware.com/security
Restart Required: Yes
Instructions:
1. Open G DATA Total Security. 2. Navigate to Update Center. 3. Click 'Update now' to download latest virus definitions and program updates. 4. Restart the system when prompted.
🔧 Temporary Workarounds
Disable G DATA Backup Service
windowsTemporarily disable the vulnerable service until patching is possible
sc stop GDBackupService
sc config GDBackupService start= disabled
Remove symbolic link creation privileges
windowsRestrict ability to create symbolic links to prevent exploitation
Set registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\EnableLinkedConnections = 0
🧯 If You Can't Patch
- Implement strict application control policies to prevent execution of unauthorized low-privileged code
- Apply principle of least privilege to user accounts and monitor for suspicious privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check G DATA Total Security version and ensure it's updated past the patch release date for ZDI-CAN-18749. Verify GDBackupService is running.Check Version:
Check G DATA interface under 'About' or run: wmic product where "name like 'G DATA%'" get versionVerify Fix Applied:
Confirm G DATA Total Security is updated to latest version and test symbolic link creation in context of Backup Service functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual symbolic link creation events in Windows security logs
- GDBackupService process spawning unexpected child processes
- Privilege escalation attempts from low-privileged accounts
Network Indicators:
- None - this is a local vulnerability
SIEM Query:
EventID=4688 AND ProcessName="GDBackupService.exe" AND ParentProcessName contains non-GD process