CVE-2022-23909 – This CVE describes an unquoted service path vul... (How to Fix)

📋 TL;DR

This CVE describes an unquoted service path vulnerability in Sherpa Connector Service that allows local attackers to escalate privileges by placing a malicious executable in the service path. It affects systems running vulnerable versions of Sherpa Connector Service. Attackers need local access to exploit this vulnerability.

💻 Affected Systems

Products:

Sherpa Connector Service

Versions: 2020.2.20328.2050 and likely earlier versions

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects Windows systems where Sherpa Connector Service is installed with default configuration.

📦 What is this software?

Sherpa Connector Service by Gimmal

View all CVEs affecting Sherpa Connector Service →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains SYSTEM/administrator privileges, enabling complete system compromise, persistence, and lateral movement.

🟠

Likely Case

Local user with limited privileges escalates to administrative rights, potentially installing malware or accessing sensitive data.

🟢

If Mitigated

With proper access controls and monitoring, exploitation attempts are detected and blocked before privilege escalation occurs.

🌐 Internet-Facing: LOW - This requires local access to the system, not remote exploitation.

🏢 Internal Only: HIGH - Local attackers (including malicious insiders or compromised accounts) can exploit this to gain elevated privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access and ability to write to C:\Program Files\Sherpa Software\ directory. Public exploit code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No vendor advisory found in provided references

Restart Required: Yes

Instructions:

1. Check for updated version from vendor
2. If patch available, download and install
3. Restart affected service or system
4. Verify service path is properly quoted

🔧 Temporary Workarounds

Quote Service Path

windows

Modify the service configuration to use quoted service path

sc config "SherpaConnectorService" binPath= "\"C:\Program Files\Sherpa Software\SherpaConnectorService.exe\""

Restrict Directory Permissions

windows

Set proper ACLs on Sherpa Software directory to prevent unauthorized writes

icacls "C:\Program Files\Sherpa Software" /deny Users:(OI)(CI)W

🧯 If You Can't Patch

Implement strict access controls to prevent unauthorized users from writing to program directories
Monitor for suspicious file creation in C:\Program Files\Sherpa Software\ directory

🔍 How to Verify

Check if Vulnerable:

Check if SherpaConnectorService.exe service path is unquoted: sc qc "SherpaConnectorService" | findstr BINARY_PATH_NAME

Check Version:

Check file properties of SherpaConnectorService.exe or look in installed programs list

Verify Fix Applied:

Verify service path is quoted and directory permissions are restricted

📡 Detection & Monitoring

Log Indicators:

File creation events in C:\Program Files\Sherpa Software\
Service restart events for SherpaConnectorService

Network Indicators:

No network indicators - local privilege escalation only

SIEM Query:

EventID=4688 AND (NewProcessName LIKE '%Sherpa.exe%' OR ParentProcessName LIKE '%SherpaConnectorService.exe%')

📊 Metadata

CVE ID: CVE-2022-23909

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-428

Published: April 5, 2022

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/166574/Sherpa-Connector-Service-2020.2.20328.2050-Unquoted-Service-Path.html Exploit,Third Party Advisory,VDB Entry
https://github.com/netsectuna/CVE-2022-23909 Exploit,Third Party Advisory
http://packetstormsecurity.com/files/166574/Sherpa-Connector-Service-2020.2.20328.2050-Unquoted-Service-Path.html Exploit,Third Party Advisory,VDB Entry
https://github.com/netsectuna/CVE-2022-23909 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-23909, you might also want to check these: