CVE-2020-37047
📋 TL;DR
CVE-2020-37047 is an unquoted service path vulnerability in Deep Instinct Windows Agent that allows local attackers to execute arbitrary code with LocalSystem privileges. Attackers can place malicious executables in the unquoted path to achieve privilege escalation. This affects Windows systems running Deep Instinct Agent version 1.2.29.0.
💻 Affected Systems
- Deep Instinct Windows Agent
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via LocalSystem privilege escalation leading to complete control of the Windows host, data theft, and lateral movement capabilities.
Likely Case
Local privilege escalation allowing attackers to gain administrative control of the affected system and potentially deploy additional malware.
If Mitigated
Limited impact if proper endpoint security controls, application whitelisting, and least privilege principles are enforced.
🎯 Exploit Status
Exploit requires local access to the system. Public exploit code is available on Exploit-DB (ID 48174).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 1.2.29.0
Vendor Advisory: https://www.deepinstinct.com/
Restart Required: Yes
Instructions:
1. Update Deep Instinct Windows Agent to latest version. 2. Restart the DeepMgmtService service. 3. Verify the service path is properly quoted in Windows Services.
🔧 Temporary Workarounds
Manually quote service path
windowsManually update the service path to include quotes around the executable path
sc config DeepMgmtService binPath= "C:\Program Files\HP Sure Sense\DeepMgmtService.exe"
Restrict write permissions
windowsRemove write permissions for non-administrative users to the vulnerable directory path
icacls "C:\Program Files\HP Sure Sense" /deny Users:(OI)(CI)W
🧯 If You Can't Patch
- Implement application whitelisting to prevent execution of unauthorized binaries
- Enforce least privilege principles and restrict local user permissions on affected systems
🔍 How to Verify
Check if Vulnerable:
Check if DeepMgmtService service path is unquoted: sc qc DeepMgmtService | findstr BINARY_PATH_NAMECheck Version:
Check Deep Instinct agent version in Control Panel > Programs and Features or via registry: reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s | findstr /i "Deep Instinct"Verify Fix Applied:
Verify service path is quoted: sc qc DeepMgmtService should show path with quotes. Check agent version is >1.2.29.0📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing service path modifications
- Unexpected executables running from C:\Program Files\HP Sure Sense directory
- Process creation events for suspicious executables in vulnerable path
Network Indicators:
- Unusual outbound connections from DeepMgmtService.exe
- Lateral movement attempts from compromised systems
SIEM Query:
EventID=4688 AND (NewProcessName="*Program Files*HP Sure Sense*" OR NewProcessName="*Program Files*HP*Sure*Sense*")