Introduction
In today’s digital world, cyber threats continue to evolve. Known weaknesses must be addressed quickly to avoid breaches, data loss, and ransomware attacks. Cyber Essentials Plus testing is aimed at identifying such weaknesses and can highlight configuration issues that should be fixed. One example of this is the “Windows unquoted/trusted service paths privilege escalation security issue” vulnerability – it can lead to significant issues if not remediated. In this article we explain the vulnerability, outline solutions, discuss its importance, and link it to the benefits of Cyber Essentials Plus testing.
Cyber Essentials Plus Testing
Cyber Essentials aims to ensure devices are not vulnerable to security flaws that attackers can commonly exploit. Cyber Essentials Plus involves testing to determine whether an internet-based attacker can hack into systems using low-skill methods. It also checks devices to determine whether weaknesses exist. Qualified professionals use advanced tools to find and highlight these weaknesses. These findings help organisations identify and fix problems before hackers take advantage.
Windows Unquoted/Trusted Service Paths Privilege Escalation Security Issue Explained
A security flaw found in Windows systems, which is a misconfiguration, can allow attackers to trick the system into running malicious software. Instead of running an intended service, it can execute malware.
What an Attacker Can Do
Attackers can place malicious files in particular locations on an affected Windows device, causing it to execute the malware rather than the intended software.
How it Works
Normally, Windows devices run programs from specific (file path) locations without issue. However, if that location lacks quotation marks in the setup, the system might get confused and run harmful software instead of the right program, letting bad actors take over.
Potential Impact
The impact could be severe. An attacker gaining control of an affected machine could lead to operational disruption, loss of sensitive customer data, damage to brand reputation, regulatory and compliance issues, and fines.
Why it Matters
There’s potential to bypass security controls and cause harm to critical systems and data. With its classification as a HIGH RISK vulnerability, it can be flagged for remediation as part of the Cyber Essentials Plus testing. The Cyber Essentials: Requirements for IT Infrastructure v3.2 document outlines the need to apply registry fixes where vulnerabilities have a severity ranking relating to CVSS v3 base score of 7 or above – these are to be fixed within 14 days.
Severity
- A HIGH RISK severity ranking
- CVSSv3 Base Score: 7.8
- The vulnerability can be used to deploy malicious software
Fix
- Identify the vulnerable paths
- Apply a registry change to add quotation marks around the path
- Restart the system to apply the changes
Warning – Before Making Registry Changes
Before making changes, consider testing in a non-production environment, then rolling out, creating appropriate backups (for reversion).
1. Create a Manual Backup Using Registry Editor:
- Press Win + R, type regedit, and press Enter to open the Registry Editor
- In the Registry Editor, click on File and select Export
- Choose a location on your computer to save the backup
- In the Export Range panel, ensure that All is selected to back up the entire registry
- Name the backup file and click Save
2. Create a System Restore Point:
- Open the Start menu and type/select Create a restore point
- In the System Properties window, click Create
- Enter a description for the restore point and click Create
Resolution Steps
1. Locate the vulnerable paths:
- Work with your Assessor to understand the specific vulnerable path
- Or review a vulnerability assessment (authenticated level)
2. Fix the Registry:
- Open Registry Editor with administrator privileges
- Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
- Locate the affected service and double-click it
- Double-click ImagePath to see the location
- Add quotation marks around the ImagePath reference, for example:
- Before c: \Program Files\MyApp\service.exe
- After “c: \Program Files\MyApp\service.exe”
3. Restart the system for the changes to be applied
Checking The Fix
1. Check the registry entries
- Vulnerable: C: \Program Files\MyApp\service.exe
- Fixed: “C: \Program Files\MyApp\service.exe”
2. Rerun the vulnerability assessment (authenticated level) to confirm remediation, as well as detect any other known vulnerabilities
How We Help
At RB Consultancy Ltd we support organisations looking to implement controls and/or certify to Cyber Essentials and Cyber Essentials Plus requirements:
- NCSC Assured Cyber Advisor - we help organisations understand and implement technical controls and provide detailed steps on how to resolve this vulnerability
- Cyber Essentials Plus Assessor – we assess organisations against the requirements and carry out vulnerability assessments
- Cyber Essentials Plus Certification Body – we issue organisations with certifications
Conclusion
Cyber Essentials Plus testing identifies critical and high-risk vulnerabilities. By making registry changes, it’s possible to effectively mitigate the Windows Unquoted/Trusted Service Paths Privilege Escalation issue and enhance system security. Regular updates and monitoring of the system for vulnerabilities are essential when maintaining a secure environment. There is always risk when making changes – follow best practice guidance on rolling out change (reverting if needed).
Information Sources for Windows Unquoted Service Path Vulnerability
