Executive Summary

CVE-2016-20061 is an unquoted service path vulnerability found in sheed AntiVirus version 2.3, specifically in the ShavProt service. Because the service's executable path contains spaces and is not enclosed in quotes, a local attacker can place a malicious executable in a directory path that the system interprets before the legitimate executable.

When the service restarts or the system reboots, the malicious executable is executed with LocalSystem privileges, allowing the attacker to escalate their privileges on the affected system.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows local attackers to escalate privileges to LocalSystem level, which can lead to unauthorized access, modification, or disruption of sensitive data and system functions.

Such unauthorized privilege escalation and potential data compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and availability.

Failure to mitigate this vulnerability could result in violations of these regulations due to increased risk of data breaches or unauthorized system changes.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows a local attacker with low privileges to escalate their privileges to LocalSystem level by exploiting the unquoted service path in the ShavProt service.

• The attacker can execute arbitrary code with high-level privileges.
• This can lead to full system compromise, including unauthorized access to sensitive data, modification of system files, and disruption of system availability.
• The vulnerability has a high severity rating with a CVSS v4 score of 8.5, indicating significant impact on confidentiality, integrity, and availability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for unquoted service paths in the installed services, specifically looking for the ShavProt service related to sheed AntiVirus 2.3.

A common method to detect unquoted service paths is to query the service executable path and verify if it contains spaces without quotes.

• Use the command: sc qc ShavProt
• Check the output for the BINARY_PATH_NAME field; if the path contains spaces and is not enclosed in quotes, the service is vulnerable.
• Alternatively, use PowerShell to find unquoted service paths: Get-WmiObject win32_service | where {$_.PathName -like '* *' -and $_.PathName -notlike '"*"'} | select Name, PathName

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, immediately quote the service executable path to prevent the system from misinterpreting the path and executing malicious code.

Specifically, update the ShavProt service path from an unquoted path like C:\Program Files\Sheed AntiVirus\shgrprot.exe to a quoted path: "C:\Program Files\Sheed AntiVirus\shgrprot.exe".

If quoting the path is not possible immediately, restrict local user permissions to prevent placing malicious executables in directories referenced by the service path.

Additionally, consider restarting the service or the system after applying the fix to ensure the corrected path is used.

Useful 0 Not Useful 0