CVE-2024-34019
📋 TL;DR
This CVE describes a local privilege escalation vulnerability in Acronis Snap Deploy for Windows due to DLL hijacking. Attackers with local access can place malicious DLLs in directories where the application searches, potentially gaining SYSTEM privileges. Only Windows users running vulnerable versions of Acronis Snap Deploy are affected.
💻 Affected Systems
- Acronis Snap Deploy (Windows)
📦 What is this software?
Snap Deploy by Acronis
Snap Deploy by Acronis
Snap Deploy by Acronis
Snap Deploy by Acronis
Snap Deploy by Acronis
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains SYSTEM privileges, enabling complete system compromise, data theft, persistence mechanisms, and lateral movement.
Likely Case
Local user or malware with basic privileges escalates to administrative rights, allowing installation of additional malware, disabling security controls, or accessing sensitive data.
If Mitigated
With proper access controls and monitoring, exploitation would be detected and contained before significant damage occurs.
🎯 Exploit Status
DLL hijacking is a well-known attack vector. While no public PoC is mentioned, the technique is straightforward for attackers familiar with Windows DLL loading.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Build 4569 or later
Vendor Advisory: https://security-advisory.acronis.com/advisories/SEC-3079
Restart Required: Yes
Instructions:
1. Download the latest version of Acronis Snap Deploy from the official Acronis website. 2. Install the update following the vendor's installation guide. 3. Restart the system to ensure all components are updated.
🔧 Temporary Workarounds
Restrict write permissions to application directories
windowsPrevent unauthorized users from writing DLLs to directories where Acronis Snap Deploy searches for libraries.
icacls "C:\Program Files\Acronis\SnapDeploy\" /deny *S-1-1-0:(OI)(CI)(W)
Enable DLL Safe Search Mode
windowsConfigure Windows to use SafeDllSearchMode to prioritize system directories over current directory.
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v SafeDllSearchMode /t REG_DWORD /d 1 /f
🧯 If You Can't Patch
- Implement strict access controls to limit who can log into systems running Acronis Snap Deploy.
- Monitor for suspicious DLL creation in application directories and unexpected privilege escalation events.
🔍 How to Verify
Check if Vulnerable:
Check the Acronis Snap Deploy version in the application's About section or installation directory. Versions before build 4569 are vulnerable.Check Version:
Check the application's About dialog or examine the executable properties in "C:\Program Files\Acronis\SnapDeploy\"Verify Fix Applied:
Verify the installed version is build 4569 or later. Check that the patch installation completed successfully without errors.📡 Detection & Monitoring
Log Indicators:
- Event ID 4688 (process creation) showing Acronis processes loading DLLs from unusual locations
- Security logs showing privilege escalation from standard user to SYSTEM
Network Indicators:
- None - this is a local attack vector
SIEM Query:
EventID=4688 AND (ProcessName="*Acronis*" OR ProcessName="*snapdeploy*") AND (CommandLine="*dll*" OR NewProcessName="*dll*")