Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Microsoft Windows Unquoted Service Path Vulnerability

by Andrew Freeborn
August 10, 2016

Microsoft Windows Unquoted Service Path Vulnerability Report

Organizations can expect with certainty that at least some software that is used to support the business will have a vulnerability. The vulnerability may be a low risk and left alone, or the vulnerability may be a critical risk and need immediate attention. However, the impact of the vulnerability tends to be focused to one particular piece of software which may or may not be used widely in an organization.

A Windows system has many services, which are programs running in the background. These programs exist somewhere in the file system, for which the service manager uses the file path to find the program to then run the service. In some cases, there are breaks in the names of folders in the path to the program in the file system. For example, a program such as “myprogram.exe” can exist in the folder “c:\temp\My Folder\”. In Windows, a service can specifically can point to c:\temp\My Folder\myprogram.exe or it can enclose the absolute path in double quotes such as “c:\temp\My Folder\myprogram.exe”. The operating system will resolve the path to the program in either case and run the service. This is a design decision by Microsoft to run the service as previously described.

As the service can run in either configuration, there are no problems from a functionality or availability perspective. There are clear and concise rules Windows will follow, but will try to look for “myprogram.exe” in a folder path of “c:\temp\My” and then “c:\temp\My Folder”. The space is treated as an optional path to explore for that program. The attack scenario occurs when, by happenstance or malicious intent, there was a folder of “c:\temp\My” with an innocuous or malicious program also called “myprogram.exe”, which would be run first by the service manager.

As this complete scenario is a design decision by Microsoft and programs are not required to have double quotes, this scenario could potentially be exploited by attackers. When an organization uses Tenable SecurityCenter CV and Tenable Nessus, this scenario is identified with our solutions. An analyst can scan a network with Nessus using plugin ID 63155 to specifically identify services on systems using unquoted file paths. Once found, analysts can work with the appropriate personnel to remediate the issue with either vendor support or by manual intervention within the service manager.

This report provides a focused analysis of this issue across the organization. Analysts can use this to quickly determine which hosts and services are impacted with this vulnerability. Additional information, such as the impact across IP address ranges and the impact over time, is provided to the analyst to help determine how long this issue has persisted across the organization.

This report is available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The report can be easily located in the SecurityCenter Feed under the category Discovery & Detection. The report requirements are:

  • SecurityCenter 5.4.0
  • Nessus 6.8.1

Tenable SecurityCenter Continuous View (CV) provides continuous network monitoring, vulnerability identification, and security monitoring. SecurityCenter is continuously updated with information about advanced threats and zero-day vulnerabilities, and new types of regulatory compliance configuration audit files. Tenable constantly analyzes information from our unique sensors, delivering continuous visibility and critical context, enabling decisive action that transforms your security program from reactive to proactive. Active scanning examines the devices on the systems, running processes and services, configuration settings and services, and additional vulnerabilities. Tenable enables powerful, yet non-disruptive, continuous monitoring of the organization to ensure accurate and up-to-date information is presented on existing vulnerabilities discovered within the network.

This report contains the following chapters:

  • Executive Summary: This chapter provides an overview of the Microsoft Windows unquoted service path vulnerability in the organization
  • Microsoft Windows Unquoted Service Path Vulnerability Details: This chapter provides a detailed view of the Microsoft Windows hosts affected with the unquoted service path vulnerability

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training