NFA - At least one improperly configured Windows service may have a privilege escalation vulnerability.

book

Article ID: 225912

calendar_today

Updated On:

Products

CA Network Flow Analysis (NetQos / NFA)

Issue/Introduction

Nessus vulnerability scan report on NFA console highlighted below issue

Insecure Windows Service Permissions

Plugin Name:At least one Windows service executable with insecure permissions was detected on the remote host. 
Port: 445

Description:
Services configured to use an executable with weak permissions are vulnerable to privilege escalation attacks.
"At least one Windows service executable with insecure permissions was detected on the remote host. Services configured to use an executable with weak permissions are vulnerable to privilege escalation attacks.
An unprivileged user could modify or overwrite the executable with arbitrary code, which would be executed the next time the service is started. Depending on the user that the service runs as, this could result in privilege escalation.

Examples

 "Plugin Output: 
Path : d:\ca\nfa\bin\nqhandy.exe
Used by services : nqserv
File write allowed for groups : Authenticated Users

Path : d:\ca\nfa\bin\nqreporter.exe
Used by services : nqreporter
File write allowed for groups : Authenticated Users

Path : d:\ca\nfa\odata\bin\wrapper.exe
Used by services : CA NFA OData Service
File write allowed for groups : Authenticated Users

Path : d:\ca\nfa\portal\sso\bin\perfcenter-sso.exe
Used by services : CAPerfCenter_SSO
File write allowed for groups : Authenticated Users

Path : d:\ca\nfa\reporter\netqos.reporteranalyzer.managerservice\bin\reportermanagerservice.exe
Used by services : NetQoS Reporter Manager Service
File write allowed for groups : Authenticated Users

 

Environment

Release : 10.x / 21.2.x

Component : NQRACO - NETQOS RA CONSOLE

Resolution

Check if the NFA server has roles/users related to groups Everyone, Users, Domain Users, Authenticated Users.

Ensure the groups listed above do not have permissions to modify or write service executable s.
 

Additionally, ensure these groups do not have Full Control permission to any directories that contain service executable s.

Additional Information


windows privilege escalation via weak service permissions

Insecure Windows Service Permissions