CVE-2023-41743 – This CVE describes a local privilege escalation... (How to Fix)

Q: What is the severity of CVE-2023-41743?

CVE-2023-41743 has a CVSS score of 7.8 (HIGH). This CVE describes a local privilege escalation vulnerability in Acronis products for Windows. It allows a local low-privileged user to gain SYSTEM-level privileges by exploiting insecure driver communication port permissions. Affected users include anyone running vulnerable versions of Acronis Cyber Protect Home Office, Acronis Agent, or Acronis Cyber Protect 15 on Windows systems.

📋 TL;DR

This CVE describes a local privilege escalation vulnerability in Acronis products for Windows. It allows a local low-privileged user to gain SYSTEM-level privileges by exploiting insecure driver communication port permissions. Affected users include anyone running vulnerable versions of Acronis Cyber Protect Home Office, Acronis Agent, or Acronis Cyber Protect 15 on Windows systems.

💻 Affected Systems

Products:

Acronis Cyber Protect Home Office (Windows)
Acronis Agent (Windows)
Acronis Cyber Protect 15 (Windows)

Versions: Acronis Cyber Protect Home Office before build 40278, Acronis Agent before build 31637, Acronis Cyber Protect 15 before build 35979

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of affected versions are vulnerable. No special configuration required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with local access can achieve full SYSTEM privileges, enabling complete system compromise, installation of persistent malware, credential theft, and lateral movement within the network.

🟠

Likely Case

Malicious local users or malware with initial foothold can escalate privileges to bypass security controls, disable security software, and maintain persistence on compromised systems.

🟢

If Mitigated

With proper patching and least privilege principles, impact is limited to denial of service at the application level without system-wide compromise.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring local access to the system, not directly exploitable over the internet.

🏢 Internal Only: HIGH - Once an attacker gains initial access to a system (via phishing, malware, etc.), this vulnerability enables full system compromise and lateral movement within the internal network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access but is considered low complexity once local access is obtained. No public exploit code is known at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Acronis Cyber Protect Home Office build 40278+, Acronis Agent build 31637+, Acronis Cyber Protect 15 build 35979+

Vendor Advisory: https://security-advisory.acronis.com/SEC-4858

Restart Required: Yes

Instructions:

1. Open Acronis application. 2. Check for updates in settings. 3. Install available updates. 4. Restart the system to complete installation.

🔧 Temporary Workarounds

Restrict local user access

windows

Limit local user accounts to only trusted personnel and implement strict access controls to reduce attack surface.

Monitor driver communication

windows

Implement monitoring for unusual driver communication patterns or unauthorized attempts to access driver ports.

🧯 If You Can't Patch

Remove Acronis products from critical systems until patching is possible
Implement application whitelisting to prevent unauthorized processes from interacting with Acronis drivers

🔍 How to Verify

Check if Vulnerable:

Check Acronis application version in settings or control panel and compare with patched versions listed in advisory.

Check Version:

Check Acronis application GUI or run: wmic product where "name like '%Acronis%'" get name, version

Verify Fix Applied:

Verify installed version matches or exceeds patched build numbers: Home Office ≥40278, Agent ≥31637, Cyber Protect 15 ≥35979.

📡 Detection & Monitoring

Log Indicators:

Unusual driver loading events
Failed privilege escalation attempts in security logs
Suspicious process creation from Acronis services

Network Indicators:

Local inter-process communication anomalies
Unexpected driver port access

SIEM Query:

EventID=4688 AND (ProcessName LIKE '%acronis%' OR ParentProcessName LIKE '%acronis%') AND NewProcessName='cmd.exe' OR NewProcessName='powershell.exe'

📊 Metadata

CVE ID: CVE-2023-41743

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: August 31, 2023

Last Updated: November 21, 2024

🔗 References

https://security-advisory.acronis.com/SEC-4858 Release Notes,Vendor Advisory
https://security-advisory.acronis.com/advisories/SEC-5487 Release Notes,Vendor Advisory
https://security-advisory.acronis.com/SEC-4858 Release Notes,Vendor Advisory
https://security-advisory.acronis.com/advisories/SEC-5487 Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-41743, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Agent by Acronis

Cyber Protect by Acronis

Cyber Protect by Acronis

Cyber Protect by Acronis

Cyber Protect by Acronis

Cyber Protect by Acronis

Cyber Protect by Acronis

Cyber Protect Home Office by Acronis

Cyber Protect Home Office by Acronis

Cyber Protect Home Office by Acronis

Cyber Protect Home Office by Acronis

Cyber Protect Home Office by Acronis

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict local user access

Monitor driver communication

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities