Tenable plugin 63155 and Qualys QID 105484 reference a medium-severity vulnerability regarding unquoted search paths. Unfortunately the fix action tends to be a bit vague. If you’re looking for a Windows unquoted search path fix, you’ve come to the right place. Here’s how to fix unquoted paths in Windows and clear Tenable plugin 63155 and Qualys QID 105484.
How bad is the Windows unquoted search paths vulnerability?
I never paid much mind to plugin 63155/QID 105484. It allows unauthorized, untrusted software to run, and that’s bad. But if you’re in a position to take advantage of this, you’re in a position to do lots of other things too. I’ve always given things like keeping your office suite and web browser and browser plugins up to date higher priority.
Since this is a fix that requires a configuration change, not a patch, and the fix varies from machine to machine, this is a nagging one.
The Windows unquoted search path fix
If you absolutely, positively need a clean scan, here’s now to fix Tenable plugin 63155 or Qualys QID 105484.
First, open a command prompt and run this command:
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """'
When I ran the command, I got this result:
Intel(R) Management and Security Application Local Management Service LMS C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe Auto
Gee, thanks Intel!
Next, open Regedit. I have an introduction to registry editing if you’re unfamiliar with this. Look in HKLM\System\CurrentControlSet\Services for the service you found.
The culprit is in the setting named ImagePath. Add quotes around everything to fix it.
If you don’t mind enabling Powershell, Microsoft has an automated fix. That said, I think having Powershell enabled is a bigger vulnerability than the unquoted paths issue. If you have it enabled anyway, this fix is convenient.
If the service in question is something you don’t really need, uninstall it instead.
How important is this to fix?
Like I said, in order to be able to use this, you’re already on a system and in position to do other things. This is the kind of vulnerability an attacker would use to maintain a presence on a system, rather than get a foothold on one. In other words, if this is a problem, the attacker is already winning. This vulnerability helps an attacker establish a dynasty.
So, since this is hard to fix, how do you prioritize it? On some level, you know how important a system is. If every computer on your network evaporated tomorrow, what systems would you rebuild first? Those are the systems that deserve this effort. Once you get those done, take care of the others as you get to them.