Executive Summary

[{'type': 'paragraph', 'content': "The vulnerability in Shrew Soft VPN Client version 2.2.2 is an unquoted service path issue in the 'iked' service. This means the executable path for the service contains spaces but lacks proper quotation marks, allowing local users with limited privileges to place malicious executables in directories along the service path."}, {'type': 'paragraph', 'content': 'When the system starts the service or reboots, the Windows Service Control Manager might execute the malicious executable with elevated system privileges, leading to arbitrary code execution with high-level access.'}, {'type': 'paragraph', 'content': 'This vulnerability is classified under CWE-428 (Unquoted Search Path or Element) and affects all versions up to and including 2.2.2 of the Shrew Soft VPN Client.'}] [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow a local attacker to escalate their privileges from limited user access to elevated system privileges by executing arbitrary code during service startup or system reboot.

Because the affected services run with LocalSystem privileges and are set to auto-start, exploitation can lead to full control over the affected system, compromising confidentiality, integrity, and availability.

An attacker who can write to directories in the service path undetected by security software can exploit this vulnerability, potentially leading to system takeover or persistent malicious control.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by checking for unquoted service paths in the Shrew Soft VPN Client's 'iked' service executable path. Specifically, look for service paths that include spaces but lack proper quotation marks, such as: C:\\Program Files\\ShrewSoft\\VPN Client\\iked.exe -service."}, {'type': 'paragraph', 'content': 'On Windows systems, you can use commands to list services and their executable paths to identify unquoted paths. For example, running the following command in an elevated command prompt can help detect unquoted service paths:'}, {'type': 'list_item', 'content': 'sc qc iked'}, {'type': 'paragraph', 'content': "This command queries the configuration of the 'iked' service and shows the executable path. If the path is unquoted and contains spaces, it indicates the presence of the vulnerability."}, {'type': 'paragraph', 'content': 'Additionally, you can use PowerShell to find all services with unquoted paths by running:'}, {'type': 'list_item', 'content': 'Get-WmiObject win32_service | where { $_.PathName -like \'* *\' -and $_.PathName -notlike \'"*"*\' } | select Name, PathName'}, {'type': 'paragraph', 'content': 'This command lists all services whose executable paths contain spaces but are not enclosed in quotes, which is a common indicator of this vulnerability.'}] [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'To mitigate this vulnerability, immediately ensure that the service executable paths are properly quoted to prevent execution of malicious executables placed in the unquoted path.'}, {'type': 'paragraph', 'content': "Specifically, update the service path for the 'iked' service to include quotation marks around the executable path, for example:"}, {'type': 'list_item', 'content': '"C:\\Program Files\\ShrewSoft\\VPN Client\\iked.exe" -service'}, {'type': 'paragraph', 'content': 'If possible, update or patch the Shrew Soft VPN Client to a version that addresses this vulnerability.'}, {'type': 'paragraph', 'content': 'Additionally, restrict write permissions on directories in the service path to prevent local users from placing malicious executables.'}, {'type': 'paragraph', 'content': 'As a temporary measure, consider disabling or stopping the vulnerable service until a proper fix or patch is applied.'}] [1, 2]

Useful 0 Not Useful 0