Vulnerability unquoted service path

[Ben]

Hello,

We did another scan of one of our customer with a new tool, this one points out ActiveRMAservice to be subject of an exploit:

https://github.com/nickvourd/Windows-Lo ... icePath.md

https://techcommunity.microsoft.com/dis ... do/3298358

for reference on one of our servers:


This vulnerability can be exploited to gain priviledges from the account used to launche activerma service, in our case System.

Have a good day,

Ben

[KS-Soft]

Thank you for the report, problem was fixed years ago.
On old installations you just need to reinstall RMA service using rma_cfg tool or modify Windows registry (add "" marks manually)
(2nd option will help even if you cannot update software for some reasons)

Regards
Alex

[Ben]

Ok so for the installation, I guess I have to do a uninstall then reinstall, because those RMA are updated periodically when you release new versions.

I'll maybe try to fix some of it through the add of the quotes in the registry value.

Thanks for your answer.

[KS-Soft]

Not software reinstall, just service reinstall.
rma_cfg (admin account) -> setup Active RMA -> Stop -> Uninstall -> Install

Regards
Alex

[Ben]

I just tried, the uninstall does indeed delete the entry \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ActiveRMAService

But after reinstalling, the path is the same under the value ImagePath and stays unquoted.

ActiveRMA Setup 4.36

[Ben]

I did update the whole package to last version, active rma setup now 4.44 and yes after reinstalling the service as you suggested, the path now has quotes.

Thanks for the help.

[KS-Soft]

You are welcome

Regards
Alex