Executive Summary

CVE-2016-20058 is an unquoted service path vulnerability found in Netgate AMITI Antivirus build 23.0.305, specifically in the AmitiAvSrv and AmitiAntivirusHealth services.

Because the service paths contain spaces but are not enclosed in quotes, a local attacker can place a malicious executable in a directory path that the system misinterprets.

When the affected service is restarted or the system reboots, the malicious executable is executed with LocalSystem privileges, allowing the attacker to escalate their privileges on the system.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows a local attacker with low privileges to escalate their privileges to LocalSystem, which is the highest level of privilege on a Windows system.

By exploiting this, an attacker can execute arbitrary code with full system privileges, potentially leading to full system compromise.

• Loss of confidentiality due to unauthorized access to sensitive data.
• Loss of integrity by allowing unauthorized modification of system files or settings.
• Loss of availability by disrupting system services or causing system instability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking the service paths of the AmitiAvSrv and AmitiAntivirusHealth services for unquoted paths that contain spaces. Unquoted service paths are vulnerable because Windows may interpret the path incorrectly, allowing an attacker to place a malicious executable in a directory that will be executed with elevated privileges.

On a Windows system, you can use the following command to check the service paths for unquoted spaces:

• sc qc AmitiAvSrv
• sc qc AmitiAntivirusHealth

Review the output for unquoted paths containing spaces, such as paths like: C:\Program Files\NETGATE\Amiti Antivirus\AmitiAntivirusSrv.exe

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should immediately quote the service paths for the AmitiAvSrv and AmitiAntivirusHealth services to prevent Windows from misinterpreting the path.

Alternatively, you can update or patch the Netgate AMITI Antivirus software if a fixed version is available.

As a temporary workaround, avoid restarting the affected services or rebooting the system until the service paths are corrected, to prevent execution of malicious code.

If you have local access, you can modify the service path using the following command (run as administrator):

• sc config AmitiAvSrv binPath= ""C:\Program Files\NETGATE\Amiti Antivirus\AmitiAntivirusSrv.exe""
• sc config AmitiAntivirusHealth binPath= ""C:\Program Files\NETGATE\Amiti Antivirus\AmitiAntivirusHealth.exe""

Useful 0 Not Useful 0

Compliance Impact

CVE-2016-20058 allows local attackers to escalate privileges to LocalSystem by exploiting an unquoted service path vulnerability in Netgate AMITI Antivirus. This privilege escalation can lead to unauthorized access to sensitive data and system resources.

Such unauthorized privilege escalation and potential data compromise can negatively impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls on data confidentiality, integrity, and access management.

However, the provided information does not explicitly discuss the direct impact on compliance frameworks or specific regulatory requirements.

Useful 0 Not Useful 0