CVE-2024-22167
📋 TL;DR
A DLL hijacking vulnerability in SanDisk PrivateAccess for Windows allows local attackers to execute arbitrary code with system privileges. This requires the attacker to already have access to the user's vault or system. Only Windows users of this specific application are affected.
💻 Affected Systems
- SanDisk PrivateAccess Desktop Application
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with SYSTEM privileges leading to data theft, persistence, and lateral movement within the network.
Likely Case
Local privilege escalation from a lower-privileged user account to SYSTEM, enabling further attacks on the compromised machine.
If Mitigated
Limited impact if proper access controls prevent unauthorized local access and vault files are secured.
🎯 Exploit Status
Requires local access and specific conditions (vault access or existing compromise).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.4.11
Vendor Advisory: https://www.westerndigital.com/support/product-security/wdc-24002-sandisk-privateaccess-desktop-app-v-6-4-11
Restart Required: Yes
Instructions:
1. Download SanDisk PrivateAccess version 6.4.11 from official sources. 2. Run the installer. 3. Restart the system after installation completes.
🔧 Temporary Workarounds
Restrict DLL Search Path
windowsUse Windows policies to restrict DLL search paths and prevent loading from untrusted directories.
Configure via Group Policy: Computer Configuration > Windows Settings > Security Settings > Application Control Policies > DLL Rules
Remove Unnecessary Privileges
windowsRun SanDisk PrivateAccess with minimal required privileges instead of SYSTEM context.
Use Windows Task Scheduler or runas to execute with limited user account
🧯 If You Can't Patch
- Restrict physical and remote access to systems running vulnerable versions.
- Implement strict access controls on vault files and monitor for unauthorized access attempts.
🔍 How to Verify
Check if Vulnerable:
Check SanDisk PrivateAccess version in Windows Programs and Features. If version is below 6.4.11, the system is vulnerable.Check Version:
wmic product where name="SanDisk PrivateAccess" get versionVerify Fix Applied:
Confirm version shows 6.4.11 or higher in Programs and Features after update.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing DLL loading from unusual paths
- Process creation events for SanDisk PrivateAccess with suspicious parent processes
Network Indicators:
- No network indicators - this is a local attack
SIEM Query:
EventID=4688 AND NewProcessName="*PrivateAccess*" AND ParentProcessName NOT IN ("explorer.exe", "svchost.exe")