search cancel

CA Business Intelligence (CABI) experiences the "Microsoft Windows Unquoted Service Path Enumeration Vulnerability"


Article ID: 32387


Updated On:


SUPPORT AUTOMATION- SERVER CA Service Desk Manager - Unified Self Service CA Service Desk Manager CA Service Management - Asset Portfolio Management CA Service Management - Service Desk Manager


A third party vulnerability scan shows that CABI services are vulnerable to "Microsoft Windows Unquoted Service Path Enumeration" and this is found to be because of service paths not quoted.


Unquoted service paths on BusinessObjects server are:


SVNSubversion : SAP BusinessObjects Enterprise XI 4.0\\subversion\svnserve.exe


BOEXI40BWPublisherService : SAP BusinessObjects Enterprise XI 4.0\win32_x86\bwcepubsvc.exe




Applies to both CABI 4.1 SP3 and CABI 4.1 SP5 used with CA Service Management 14.1





  1. Take backup of the CABI server registry

  2. Open REGEDIT as an OS Administrator and navigate to the following location:
    HKLM -> System -> Current Control Set -> Services 

  3. Search for the mentioned CABI service in the vulnerability report (i.e. BOEXI40BWPublisherService) and edit the 'Imagepath' value and service path to include quotes as follows:
    "D:\Program files (x86)\CA\CommonReporting4\SAP BusinessObjects Enterprise XI 4.0\win32_x86\bwcepubsvc.exe"

  4. Restart the CABI SIA service via the Central Configuration Manager (CCM)


Follow the same process for any other CABI service that has unquoted service path in the registry and is reported by a third party vulnerability scan.




Release: SDMU0M99000-14.1-Service Desk Manager-Full License