Executive Summary

This vulnerability in the NarSuS App involves the registration of a Windows service with an unquoted file path. Because of this, a user who has write permission on the root directory of the system drive can exploit the unquoted search path to execute arbitrary code with SYSTEM privileges, which means they can run code with the highest level of access on the system. [1]

Useful 0 Not Useful 0

Impact Analysis

If exploited, this vulnerability allows an attacker with write access to the root of the system drive to execute arbitrary code with SYSTEM privileges. This can lead to full control over the affected system, compromising confidentiality, integrity, and availability of data and system resources, potentially allowing unauthorized actions such as installing malware, stealing data, or disrupting services. [1, 2]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the NarSuS App registers a Windows service with an unquoted file path. You can use the Windows command line to list services and inspect their executable paths for unquoted spaces. For example, run the command: sc qc <service_name> to query the service configuration and check if the ImagePath contains unquoted spaces. Additionally, use: wmic service get name,pathname to list all services and their paths, then look for unquoted paths. If the NarSuS App service path is unquoted, the system is vulnerable. [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to update the NarSuS App to version 2.33 or later, where this vulnerability has been fixed. If your product is discontinued and does not support the updated version, consider replacing the product. Ensure that users without necessary permissions do not have write access to the root directory of the system drive to reduce risk. [1, 2]

Useful 0 Not Useful 0