search cancel

Qualys vulnerability scan calls Weak Permissions detected for PAM A2A in Windows

book

Article ID: 200788

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM) CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

Customer is running PAM's A2A client on a Windows server. Customer's security team is running a Qualys security scan against this Windows server and calling out the PAM service as susceptible to malicious attacks. Customer requested remediation.

 

Cause

Windows Service Weak Permissions detected

  • OS: Windows Server 2016 Standard 64 bit Edition Version 1607
  • Title: Windows Service Weak Permissions detected
  • Severity: 3
  • Threat: The below list running services on Windows have weak permissions and are susceptible to privilege escalation. A user with an unprivileged account can overwrite or modify the service executable with malicious code, when the service is (re)started next time, the user will be able to gain elevated privileges. 
  • Impact: Successful exploitation will lead to privilege escalation.
  • Solution: These User groups should not have any "write" or "modify" permissions for the listed service executables.
  • Exploitability: Source: Qualys
    Reference:CVE-0000-0000
    Description:Windows Escalate Service Permissions Local Privilege Escalation
  • Results: '------------------------------------------------------------      

------------------------------------------------------------
c:\\cspm\\cloakware\\cspmclient\\bin\\cspmclientd.exe
------------------------------------------------------------
Users access_allowed append_data standard_delete write_data standard_write_owner standard_write_dac execute write_attributes read_extended_attributes read_attributes synchronize delete_child read_data standard_read write_extended_attributes

Environment

Release : 3.3

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

The 'Windows Service Weak Permissions detected’ vulnerability isn't a product related vulnerability, but rather how the Service account, or User accounts have been set up in Windows. You need to work with your Windows System Admin, IT department, or Security team to resolve the issue.

Check your user privileges, and properly configure the services permissions and the folders where the service exists. Normal user should not be able to start or stop any of the PAM services, and Administrators should only have access to the folder where the binaries, for the various services are stored.

For more information regarding this exact vulnerability, refer to this link below:

https://medium.com/@asfiyashaikh10/windows-privesc-weak-service-permission-b90f3bf4d44f

Additional Information

None.