CVE-2024-1868
📋 TL;DR
This vulnerability in G DATA Total Security allows local attackers to escalate privileges from a low-privileged account to SYSTEM level by exploiting a symbolic link issue in the G DATA Backup Service. Attackers must first gain execution capability on the target system. All installations of G DATA Total Security with the vulnerable Backup Service are affected.
💻 Affected Systems
- G DATA Total Security
📦 What is this software?
Total Security by Gdata Software
⚠️ Risk & Real-World Impact
Worst Case
Full SYSTEM compromise allowing complete control of the system, installation of persistent malware, credential theft, and lateral movement across the network.
Likely Case
Local privilege escalation enabling attackers to bypass security controls, install additional malware, and maintain persistence on compromised systems.
If Mitigated
Limited impact if proper endpoint protection, least privilege principles, and application control are implemented to prevent initial low-privileged code execution.
🎯 Exploit Status
Exploitation requires local access and ability to create symbolic links. The vulnerability is well-documented by ZDI with technical details available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check G DATA security updates for specific version
Vendor Advisory: https://www.gdatasoftware.com/security
Restart Required: Yes
Instructions:
1. Open G DATA Total Security 2. Navigate to Update Center 3. Check for and install all available updates 4. Restart the system to ensure the Backup Service is updated
🔧 Temporary Workarounds
Disable G DATA Backup Service
windowsTemporarily disable the vulnerable service until patching is possible
sc stop "G DATA Backup Service"
sc config "G DATA Backup Service" start= disabled
Restrict symbolic link creation
windowsApply Windows security policy to restrict who can create symbolic links
secedit /export /cfg secpol.cfg
Edit secpol.cfg to add 'SeCreateSymbolicLinkPrivilege' restrictions
secedit /configure /db secedit.sdb /cfg secpol.cfg
🧯 If You Can't Patch
- Implement strict application control policies to prevent execution of unauthorized low-privileged code
- Apply principle of least privilege to all user accounts and service accounts
🔍 How to Verify
Check if Vulnerable:
Check if G DATA Total Security is installed and the Backup Service is running. Review installed version against G DATA security advisories.Check Version:
Check G DATA interface for version information or examine installed programs in Control PanelVerify Fix Applied:
Verify G DATA Total Security is updated to latest version and check that the Backup Service version has been updated.📡 Detection & Monitoring
Log Indicators:
- Unusual symbolic link creation events in Windows Security logs
- G DATA Backup Service errors or unexpected file operations
- Process creation from G DATA Backup Service with SYSTEM privileges
Network Indicators:
- No specific network indicators as this is a local vulnerability
SIEM Query:
EventID=4688 AND NewProcessName LIKE '%gdbackup%' AND SubjectUserName='SYSTEM' OR Windows Security EventID=4656 with ObjectName containing symbolic link operations