'Windows Service Weak Permissions detected" vulnerability found for DevTest 10.6

Article Id: 196854
Status: Published
Updated On: 07-08-2020 11:03
Products:
CLOUDTEST , CA Application Test , CA Cloud Test Mobile , MOBILECLOUD , Service Virtualization
Issue/Introduction:

Our security team has flagged out DevTest 10.6 VM with the following vulnerability.  Please assist to remediate.

Cause:

 

Windows Service Weak Permissions detected

  • OS: Windows Server 2016 Standard 64 bit Edition Version 1607
  • Title: Windows Service Weak Permissions detected
  • Severity: 3
  • Threat: The below list running services on Windows have weak permissions and are susceptible to privilege escalation. A user with an unprivileged account can overwrite or modify the service executable with malicious code, when the service is (re)started next time, the user will be able to gain elevated privileges. 
  • Impact: Successful exploitation will lead to privilege escalation.
  • Solution: These User groups should not have any "write" or "modify" permissions for the listed service executables.
  • Exploitability: Source: Qualys
    Reference:CVE-0000-0000
    Description:Windows Escalate Service Permissions Local Privilege Escalation
  • Results: '------------------------------------------------------------      
    • c:\\program files\\ca\\devtest\\bin\\brokerservice.exe
    • c:\\program files\\ca\\devtest\\bin\\coordinatorservice.exe
    • c:\\program files\\ca\\devtest\\bin\\enterprisedashboardcicservice.exe
    • c:\\program files\\ca\\devtest\\bin\\enterprisedashboardservice.exe
    • c:\\program files\\ca\\devtest\\bin\\portalservice.exe
    • c:\\program files\\ca\\devtest\\bin\\registryservice.exe
    • c:\\program files\\ca\\devtest\\bin\\simulatorservice.exe
    • c:\\program files\\ca\\devtest\\bin\\virtualserviceenvironmentservice.exe
    • c:\\program files\\ca\\devtest\\identityaccessmanager\\bin\\identityaccessmanagerservice.exe      
      ------------------------------------------------------------      
      Users access_allowed   write_extended_attributes read_attributes execute read_extended_attributes standard_write_owner standard_write_dac write_attributes synchronize read_data standard_read standard_delete append_data write_data delete_child

Environment:

Release : 10.6

Component : CA Service Virtualization

Resolution:

The 'Windows Service Weak Permissions detected’ vulnerability isn't a product related vulnerability, but rather how the Service account, or User accounts have been set up in Windows. You need to work with your Windows System Admin, IT department, or Security team to resolve the issue.

Check your user privileges, and properly configure the services permissions and the folders where the service exists. Normal user should not be able to start or stop any of the DefTest services, and Administrators should only have access to the folder where the binaries, for the various services are stored.

For more information regarding this exact vulnerability, see:

https://medium.com/@asfiyashaikh10/windows-privesc-weak-service-permission-b90f3bf4d44f


Additional Information:

 

As a reminder, the recommended order of starting the DevTest services is:

1. Identity Access Manager
2. Enterprise Dashboard
3. Registry
4. VSE
5. Portal
6. Coordinatior/Simultor/Broker (if any are needed)

Note: Shutdown order is just opposite of startup.