Security scanning - question about Windows service

Hello,

As part of our internal security requirements all new servers are being scanned by a Nessus engine before being released to production.  My two new Lync FE servers have been tagged with having a high-level vulnerability.  See below.  It calls out the Windows Identity Foundation service as having an 'unquoted service path' in the registry.  

Before I comply with trying to 'fix' this 'vulnerability', I was wondering if anyone else runs similar internal security...and if so, have you successfully 'fixed' something like this.  I'm a little reluctant to go mucking about in the registry to modify this 'service path' to include quotes.

Thanks in advance for any advice/replies.  vulnerability data below:

445/tcp 63155 - Microsoft Windows Unquoted Service Path Enumeration [-/+] Synopsis The remote Windows host has at least one service installed that uses an unquoted service path.

Description

The remote Windows host has at least one service installed that uses an unquoted service path, which contains at least one whitespace. A local attacker could gain elevated privileges by inserting an executable file in the path of the affected service.

See Also http://isc.sans.edu/diary.html?storyid=14464 http://cwe.mitre.org/data/definitions/428.html http://www.commonexploits.com/?p=658

Solution Ensure that any services that contain a space in the path enclose the path in quotes.

Risk Factor High CVSS Base Score 7.2 (CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score 6.5 (CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)

Exploitable with Metasploit (true) Plugin Information:

Publication date: 2012/12/05, Modification date: 2012/12/17 Ports tcp/445

Nessus found the following service with an untrusted path: c2wts : C:\Program Files\Windows Identity Foundation\v3.5\c2wtshost.exe 

March 26th, 2013 12:29pm

Hi,

Thanks for posting in Microsoft TechNet forums.

This can be a false alarm from the Nessus product. We can reinstall WIF 3.5 to see if the issue can be fixed. We can also try contacting the manufacturer/support of the Nessus product regarding this issue.

Regards

Kevin

TechNet Subscriber Support

If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

 
Free Windows Admin Tool Kit Click here and download it now
March 28th, 2013 2:37am

Thanks - I had a rescan done and the vulnerability came back again.

Went ahead with the modification needed - just wrapping service path in registry with quotation marks.  Seems to have been a harmless 'fix'.

Closing this thread.

  • Marked as answer by JayCrumpGP Friday, March 29, 2013 11:27 AM
March 29th, 2013 11:27am

If using Nessus, then also look for the following path in the registry if you can't find the referenced path:  %ProgramFiles%\Windows Identity Foundation\v3.5\c2wtshost.exe

Enclose that path in quotes.  If you search for the full path as specified in the assessment report, then often times you'll think it's a false positive.

Free Windows Admin Tool Kit Click here and download it now
February 2nd, 2015 8:05pm

I have the same problem and i fixed it using that script (deploying via SCCM)

April 26th, 2015 3:37pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics