How to Remediate Vulnerability “Microsoft Windows Unquoted Service Path Enumeration” (Nessus plugin ID 63155)

"Organizations can expect with certainty that at least some software that is used to support the business will have a vulnerability. The vulnerability may be a low risk and left alone, or the vulnerability may be a critical risk and need immediate attention. However, the impact of the vulnerability tends to be focused to one particular piece of software which may or may not be used widely in an organization.
A Windows system has many services, which are programs running in the background. These programs exist somewhere in the file system, for which the service manager uses the file path to find the program to then run the service. In some cases, there are breaks in the names of folders in the path to the program in the file system. For example, a program such as “myprogram.exe” can exist in the folder “c:\temp\My Folder\”. In Windows, a service can specifically can point to c:\temp\My Folder\myprogram.exe or it can enclose the absolute path in double quotes such as “c:\temp\My Folder\myprogram.exe”. The operating system will resolve the path to the program in either case and run the service. This is a design decision by Microsoft to run the service as previously described.
As the service can run in either configuration, there are no problems from a functionality or availability perspective. There are clear and concise rules Windows will follow, but will try to look for “myprogram.exe” in a folder path of “c:\temp\My” and then “c:\temp\My Folder”. The space is treated as an optional path to explore for that program. The attack scenario occurs when, by happenstance or malicious intent, there was a folder of “c:\temp\My” with an innocuous or malicious program also called “myprogram.exe”, which would be run first by the service manager.
As this complete scenario is a design decision by Microsoft and programs are not required to have double quotes, this scenario could potentially be exploited by attackers. When an organization uses Tenable SecurityCenter CV and Tenable Nessus, this scenario is identified with our solutions. An analyst can scan a network with Nessus using plugin ID 63155 to specifically identify services on systems using unquoted file paths. Once found, analysts can work with the appropriate personnel to remediate the issue with either vendor support or by manual intervention within the service manager.
This report provides a focused analysis of this issue across the organization. Analysts can use this to quickly determine which hosts and services are impacted with this vulnerability. Additional information, such as the impact across IP address ranges and the impact over time, is provided to the analyst to help determine how long this issue has persisted across the organization.
This report is available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The report can be easily located in the SecurityCenter Feed under the category Discovery & Detection. The report requirements are:
  • SecurityCenter 5.4.0
  • Nessus 6.8.1
Tenable SecurityCenter Continuous View (CV) provides continuous network monitoring, vulnerability identification, and security monitoring. SecurityCenter is continuously updated with information about advanced threats and zero-day vulnerabilities, and new types of regulatory compliance configuration audit files. Tenable constantly analyzes information from our unique sensors, delivering continuous visibility and critical context, enabling decisive action that transforms your security program from reactive to proactive. Active scanning examines the devices on the systems, running processes and services, configuration settings and services, and additional vulnerabilities. Tenable enables powerful, yet non-disruptive, continuous monitoring of the organization to ensure accurate and up-to-date information is presented on existing vulnerabilities discovered within the network.
This report contains the following chapters:
  • Executive Summary: This chapter provides an overview of the Microsoft Windows unquoted service path vulnerability in the organization
  • Microsoft Windows Unquoted Service Path Vulnerability Details: This chapter provides a detailed view of the Microsoft Windows hosts affected with the unquoted service path vulnerability"

This script locates all services from HKLM\SYSTEM\CurrentControlSet\services, identifies paths with spaces and without the quotes and remediates by setting the quotes at the beginning and end of the path