Our security scanner is reporting that two services installed on our Server 2012 server is a potential security risk. The two services are:
WSUSService.exe - Path: %ProfileFiles%\Update Services\Services\WsusService.exe
WSusCertServer - Path: %ProfileFiles%\Update Services\Services\WSusCertServer.exe
The following specific references are provided supporting this position:
CVE-2013-1609
CVE-2014-0759
Is my scanner correct that these are vulnerabilities because the service paths are not quoted, or is this not really an issue for these specific services?
The following additional information was provided by the scanner:
Synopsis: The remote Windows host has at least one service installed that uses an unquoted service path.
Description
The remote Windows host has at least one service installed that uses an unquoted service path, which contains at least one whitespace. A local attacker could gain elevated privileges by inserting an executable file in the path of the affected service. Note that this is a generic test that will flag any application affected by the described vulnerability.
Solution
Ensure that any services that contain a space in the path enclose the path in quotes.