Executive Summary

This vulnerability is an unquoted service path issue in the EaseUS UPDATE SERVICE executable (ensserver.exe) of EaseUS Data Recovery version 15.1.0.0. Because the service path contains spaces but is not enclosed in quotation marks, an attacker with local access can place a malicious executable in a location that Windows will mistakenly execute with elevated LocalSystem privileges. This allows the attacker to run arbitrary code with high privileges on the affected system. [1, 2]

Useful 0 Not Useful 0

Impact Analysis

An attacker exploiting this vulnerability can execute malicious code with LocalSystem privileges, which are the highest privileges on a Windows system. This can lead to full system compromise, including unauthorized access to sensitive data, modification or deletion of files, installation of persistent malware, and disruption of system availability. [1, 2]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by identifying unquoted service paths in Windows services, specifically looking for the EaseUS UPDATE SERVICE executable 'ensserver.exe'. Commands such as 'wmic service get name,pathname,startmode' and 'sc qc "EaseUS UPDATE SERVICE"' can be used to check the service executable path and verify if it is unquoted and contains spaces. These commands help find services with unquoted paths that could be exploited. [2]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include correcting the unquoted service path by enclosing the executable path in quotation marks to prevent path hijacking. Alternatively, updating the EaseUS Data Recovery software to a version where this vulnerability is fixed or removing the vulnerable service if not needed can reduce risk. Ensuring that only trusted users have local access also helps mitigate exploitation. [1, 2]

Useful 0 Not Useful 0