Skip to content
Threat Feed
high advisory

OKI sPSV Port Manager Unquoted Service Path Vulnerability (CVE-2020-37229)

OKI sPSV Port Manager 1.0.41 contains an unquoted service path vulnerability in the sPSVOpLclSrv service, allowing local attackers to escalate privileges by inserting executable files into the unquoted path.

OKI sPSV Port Manager 1.0.41 is vulnerable to an unquoted service path vulnerability (CVE-2020-37229). The sPSVOpLclSrv service, due to its unquoted path, allows a local attacker to escalate privileges on the targeted system. This vulnerability enables an attacker to insert and execute arbitrary code with LocalSystem privileges. The exploit typically involves placing a malicious executable in a directory within the service’s path, which executes upon service restart or system reboot. This poses a significant risk in environments where the vulnerable software is installed, as it can lead to complete system compromise by a local attacker.

Attack Chain

  1. Attacker gains low-privilege access to the target Windows system.
  2. Attacker identifies the vulnerable service, sPSVOpLclSrv, and its unquoted service path.
  3. Attacker creates a malicious executable (e.g., payload.exe) designed to elevate privileges.
  4. Attacker places the malicious executable in a directory within the unquoted service path (e.g., C:\Program Files\OKI\sPSV Port Manager\payload.exe).
  5. Attacker triggers a restart of the sPSVOpLclSrv service or reboots the system.
  6. The operating system attempts to execute the service using the unquoted path, inadvertently executing the malicious executable placed by the attacker.
  7. The malicious executable runs with LocalSystem privileges, granting the attacker elevated access.
  8. The attacker leverages the elevated privileges to perform malicious actions, such as installing backdoors, creating new user accounts, or exfiltrating sensitive data.

Impact

Successful exploitation of this unquoted service path vulnerability (CVE-2020-37229) allows a local attacker to escalate privileges to LocalSystem. This level of access grants the attacker complete control over the compromised system, enabling them to install malware, steal sensitive information, or disrupt critical business operations. The vulnerability affects systems running OKI sPSV Port Manager 1.0.41.

Recommendation

  • Apply the necessary patch or upgrade to a version of OKI sPSV Port Manager that addresses CVE-2020-37229.
  • Deploy the Sigma rule “Detect Unquoted Service Path Exploitation - OKI sPSV Port Manager” to identify potential exploitation attempts by monitoring process creations related to the vulnerable service.
  • Regularly audit service configurations to identify and remediate unquoted service paths, mitigating this class of vulnerabilities.

Detection coverage 2

Detect Unquoted Service Path Exploitation - OKI sPSV Port Manager

high

Detects CVE-2020-37229 exploitation - detects potential exploitation of the unquoted service path vulnerability in OKI sPSV Port Manager by monitoring for unexpected process creations in the service path.

sigma tactics: privilege_escalation techniques: T1068, T1543.003 sources: process_creation, windows

Detect sPSVOpLclSrv Service Creation with Unquoted Path

medium

Detects the creation of the sPSVOpLclSrv service with an unquoted path which is indicative of CVE-2020-37229

sigma tactics: privilege_escalation techniques: T1068, T1543.003 sources: registry_set, windows

Detection queries are available on the platform. Get full rules →