CVE-2024-34332
📋 TL;DR
This vulnerability in SiSoftware SANDRA's kernel driver allows local attackers to escalate privileges by sending a crafted buffer via DeviceIoControl. Attackers with initial access can gain SYSTEM-level privileges. Affects SANDRA installations on Windows systems.
💻 Affected Systems
- SiSoftware SANDRA
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling installation of persistent malware, credential theft, and lateral movement across the network.
Likely Case
Local privilege escalation from standard user to SYSTEM, allowing attackers to bypass security controls, disable antivirus, and maintain persistence.
If Mitigated
Limited impact if proper endpoint protection detects kernel driver exploitation attempts and if users operate with least privilege.
🎯 Exploit Status
Exploit requires local access and ability to call DeviceIoControl. Public technical details available in referenced advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v31.67 or later
Vendor Advisory: https://www.sisoftware.co.uk/
Restart Required: Yes
Instructions:
1. Download latest SANDRA version from official website. 2. Uninstall current version. 3. Install updated version. 4. Restart system to ensure new driver loads.
🔧 Temporary Workarounds
Disable SANDRA kernel driver
windowsPrevent vulnerable driver from loading by disabling or removing it
sc stop Sandra
sc delete Sandra
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\Sandra" /f
Remove SANDRA application
windowsUninstall SANDRA completely to remove vulnerable driver
Control Panel > Programs > Uninstall a program > Select SiSoftware SANDRA > Uninstall
🧯 If You Can't Patch
- Implement application control policies to block SANDRA execution
- Use endpoint detection to monitor for DeviceIoControl calls to SANDRA driver
🔍 How to Verify
Check if Vulnerable:
Check SANDRA version in About dialog or verify SANDRA.sys driver version (should be >15.18.1.1)Check Version:
wmic datafile where name="C:\\Program Files\\SiSoftware\\Sandra Lite\\SANDRA.sys" get versionVerify Fix Applied:
Verify SANDRA version is v31.67+ and driver version is updated📡 Detection & Monitoring
Log Indicators:
- DeviceIoControl calls to \\Device\\Sandra
- Driver load events for SANDRA.sys
- Privilege escalation attempts
Network Indicators:
- No network indicators - local exploit only
SIEM Query:
EventID=4688 AND (NewProcessName LIKE '%SANDRA%' OR CommandLine LIKE '%SANDRA%') OR EventID=7045 AND ServiceName='Sandra'