Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials
Store

Nessus Vulnerability Scanner

Can you test your products against a vulnerability product such as Nessus as many organisation will use such a product for vulnerability scanning or compliance reporting etc... and I have come across an issue as an example of where we see a vulnerability with your product.

Microsoft Windows Unquoted Service Path Enumeration

Description

The remote Windows host has at least one service installed that uses an unquoted service path, which contains at least one whitespace. A local attacker could gain elevated privileges by inserting an executable file in the path of the affected service.

Note that this is a generic test that will flag any application affected by the described vulnerability.

Solution

Ensure that any services that contain a space in the path enclose the path in quotes.

Output

Nessus found the following services with an untrusted path :
SWJMXBridgeSvc : C:\Program Files (x86)\Solarwinds\Orion\APM\jmxbridge\jsl\jsl.exe
SWLANsurveyor : C:\Program Files (x86)\SolarWinds\SolarWinds LANsurveyor\\SrvAnyTool\\SRVANY.EXE

Port Hosts
445 445 / tcp / cifs
WWW.XXX.YYY.ZZZ

Find more posts tagged with

Status: None

Comments

tmeyers

Hi.... Did you ever find a solution for this? I have come across this in my environment as well.... looking for a solution

foonly

This is still a problem with the JMX service on NPM12 with HotFix 2 and SAM v6.2.4 CU4. Fresh reinstalls may restore the unquoted path.

This is a pain for government customers, who generally get scanned by Nessus regularly, and this is flagged as a High severity vulnerability by

Note that Nessus rather mindlessly simply checks for presence of quotes on all paths, whether the actual path has spaces in it or not. Quotes are not actually needed if there's no spaces in the path. But try to tell that to non-technical security inspectors. Here's more info on what the vulnerability is about, and how it can be exploited:

https://trustfoundry.net/practical-guide-to-exploiting-the-unquoted-service-path-vulnerability-in-windows/

Here's how to fix it generally:

Find the service:

Option 1 :

Open the Services control panel, and right click each service, and inspect the Path to executable box till you find one that does not start with quotes:

Option 2 - the script method:

(thanks to reference: Unquoted Service Paths | Common Exploits - Penetration Testing Information )

Open cmd window on the server, and enter the following command:

wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """

If it finds service path without quotes, it will display something like:

SolarWinds JMX Bridge SWJMXBridgeSvc C:\Program Files (x86)\SolarWinds\Orion\APM\jmxbridge\jsl\jsl.exe

Fixing it:

Now, open regedit, and find the service by browsing to HKLM\SYSTEM\CurrentControlSet\services. Then click Edit> Find, and enter all or part of the path above - C:\Program Files (x86)\SolarWinds\Orion\APM\jmxbridge\jsl\jsl.exe

Double click ImagePath key, and add double quotes quotes before and after the whole string, just as you would do an a command line.

The fix is immediate - no need to restart or reboot anything.

In the above case, the ImagePath is easy. Some other services may have command parameters in the ImagePath - you need to quote just the path part, just as you would executing the command on a command line.