'Windows Service Weak Permissions detected" vulnerability found for DevTest 10.6

Products

CLOUDTEST CA Application Test CA Cloud Test Mobile MOBILECLOUD Service Virtualization

Issue/Introduction

Our security team has flagged out DevTest 10.6 VM with the following vulnerability. Please assist to remediate.

Cause

Windows Service Weak Permissions detected

OS: Windows Server 2016 Standard 64 bit Edition Version 1607
Title: Windows Service Weak Permissions detected
Severity: 3
Threat: The below list running services on Windows have weak permissions and are susceptible to privilege escalation. A user with an unprivileged account can overwrite or modify the service executable with malicious code, when the service is (re)started next time, the user will be able to gain elevated privileges.
Impact: Successful exploitation will lead to privilege escalation.
Solution: These User groups should not have any "write" or "modify" permissions for the listed service executables.
Exploitability: Source: Qualys
Reference:CVE-0000-0000
Description:Windows Escalate Service Permissions Local Privilege Escalation
Results: '------------------------------------------------------------
- c:\\program files\\ca\\devtest\\bin\\brokerservice.exe
- c:\\program files\\ca\\devtest\\bin\\coordinatorservice.exe
- c:\\program files\\ca\\devtest\\bin\\enterprisedashboardcicservice.exe
- c:\\program files\\ca\\devtest\\bin\\enterprisedashboardservice.exe
- c:\\program files\\ca\\devtest\\bin\\portalservice.exe
- c:\\program files\\ca\\devtest\\bin\\registryservice.exe
- c:\\program files\\ca\\devtest\\bin\\simulatorservice.exe
- c:\\program files\\ca\\devtest\\bin\\virtualserviceenvironmentservice.exe
- c:\\program files\\ca\\devtest\\identityaccessmanager\\bin\\identityaccessmanagerservice.exe
  ------------------------------------------------------------
  Users access_allowed write_extended_attributes read_attributes execute read_extended_attributes standard_write_owner standard_write_dac write_attributes synchronize read_data standard_read standard_delete append_data write_data delete_child

Environment

Release : 10.6

Component : CA Service Virtualization

Resolution

The 'Windows Service Weak Permissions detected’ vulnerability isn't a product related vulnerability, but rather how the Service account, or User accounts have been set up in Windows. You need to work with your Windows System Admin, IT department, or Security team to resolve the issue.

Check your user privileges, and properly configure the services permissions and the folders where the service exists. Normal user should not be able to start or stop any of the DefTest services, and Administrators should only have access to the folder where the binaries, for the various services are stored.

For more information regarding this exact vulnerability, see:

https://medium.com/@asfiyashaikh10/windows-privesc-weak-service-permission-b90f3bf4d44f

Additional Information

As a reminder, the recommended order of starting the DevTest services is:

1. Identity Access Manager
2. Enterprise Dashboard
3. Registry
4. VSE
5. Portal
6. Coordinatior/Simultor/Broker (if any are needed)

Note: Shutdown order is just opposite of startup.