Unquoted Path Vulnerability - please fix ASAP

I have created a support case with Sophos for this

Hello lukg,

just curious, which hmpalert.exe, Intercept X, and OS versions? I'm using it with the on-premise SESC and as far as I can see the paths are correctly quoted. 

Christian

We are using Sophos Endpont Advanced 10.8.10.3 and Sophos Intercept X 2.0.20

This is the reply from Sophos support:

"This is known issue to Sophos and expected to be resolved in upcoming updates.
You can change registry key and set "" manually after disabling Tamper Protection"

The HMPA component's installer was recently updated.  I can only think this was introduced at that point as it wasn't always an issue as QC mentions.  The EDR product even has a query for this named "Unquoted paths in the service registry keys":

SELECT
r.path,
r.data
FROM registry r
WHERE
r.path like 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%\ImagePath'
-- Check for data that looks like a path, does not start with a quote and contains a space
-- Note: If the data has a parameter with a . in it will be incorrectly matched
AND r.data like '%:\%'
AND r.data not like '"%'
AND rtrim(r.data, replace(r.data, '.', '')) LIKE '% %'

I assume it will be fixed at the first opportunity.

Hi lukg, 

Thank you for updating the community thread. I've marked your response as an answer.

Its fixed in Hitmanpro version 3.8.2 which doesn't have announced dates yet, but this version is already available as a Hotfix. Hotfix after some testing becomes a part of general release (likely in June sometime). Here is the Hotfix download link:

https://support.sophos.com/support/s/article/KB-000038477?language=en_US

For context, this article describes how to exploit this vulnerability https://gracefulsecurity.com/privesc-unquoted-service-path/

This is considered a low-risk vulnerability, as it would only succeed when all 3 of the conditions below are in effect:

1) admin access on a system in order to make c:\program.exe

2) The AV completely failed to detect program.exe

3) Whatever exploit they used to get admin rights was not blocked by Hitmanpro 

If the attacker already managed to bypass AV and has full admin access, then there is no reason for them to use this vulnerability, as they can proceed with executing the payload. 

I see the hottfix installer was released today - Sophos Central Intercept X, Central Server Intercept X Advanced and Sophos Exploit Prevention cumulative hotfix 

This quotes the ImagePath under: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hmpalertsvc