CVE-2023-36658 – CVE-2023-36658 is an unquoted service path vuln... (How to Fix)

Q: What is the severity of CVE-2023-36658?

CVE-2023-36658 has a CVSS score of 7.8 (HIGH). CVE-2023-36658 is an unquoted service path vulnerability in OPSWAT MetaDefender KIOSK 4.6.1.9996 that allows local attackers to escalate privileges by placing malicious executables in the service path. This affects systems running the vulnerable version of MetaDefender KIOSK on Windows. Attackers need local access to exploit this vulnerability.

📋 TL;DR

CVE-2023-36658 is an unquoted service path vulnerability in OPSWAT MetaDefender KIOSK 4.6.1.9996 that allows local attackers to escalate privileges by placing malicious executables in the service path. This affects systems running the vulnerable version of MetaDefender KIOSK on Windows. Attackers need local access to exploit this vulnerability.

💻 Affected Systems

Products:

OPSWAT MetaDefender KIOSK

Versions: 4.6.1.9996

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Windows systems due to Windows service path handling. Requires local access to the system.

📦 What is this software?

Media Validation Agent by Opswat

View all CVEs affecting Media Validation Agent →

Metadefender Kiosk by Opswat

View all CVEs affecting Metadefender Kiosk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation to SYSTEM-level access, allowing complete system compromise, installation of persistent malware, or disabling of security controls.

🟠

Likely Case

Local authenticated users gain administrative privileges, potentially bypassing security restrictions or accessing sensitive data.

🟢

If Mitigated

Limited impact with proper access controls, monitoring, and restricted user permissions preventing local code execution.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to the system.

🏢 Internal Only: HIGH - Internal users with local access can exploit this to gain elevated privileges on affected systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access and knowledge of the service path. Unquoted service path vulnerabilities are well-understood attack vectors.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to latest version as per OPSWAT advisory

Vendor Advisory: https://docs.opswat.com/mdkiosk/release-notes/cve-2023-36658

Restart Required: Yes

Instructions:

1. Download latest MetaDefender KIOSK version from OPSWAT portal. 2. Backup current configuration. 3. Install update following vendor instructions. 4. Restart system to apply changes.

🔧 Temporary Workarounds

Apply proper service path quoting

windows

Manually edit the service configuration to use quoted paths

sc config "ServiceName" binPath= "\"C:\Program Files\OPSWAT\MetaDefender KIOSK\service.exe\""

Restrict file permissions

windows

Set strict permissions on directories in the service path to prevent unauthorized file creation

icacls "C:\Program Files\OPSWAT" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F" /deny "Users:(OI)(CI)(W)"

🧯 If You Can't Patch

Implement strict access controls to limit local user privileges
Monitor for unauthorized file creation in OPSWAT installation directories

🔍 How to Verify

Check if Vulnerable:

Check service configuration using: sc qc "MetaDefender KIOSK Service" and look for unquoted paths containing spaces

Check Version:

Check application version in About dialog or installation directory

Verify Fix Applied:

Verify service path is quoted in service configuration and check installed version matches patched release

📡 Detection & Monitoring

Log Indicators:

Windows Event Logs showing service path modifications
Unexpected file creation in OPSWAT directories
Privilege escalation attempts

Network Indicators:

None - this is a local vulnerability

SIEM Query:

EventID=7045 AND ServiceName="MetaDefender KIOSK Service" OR ProcessCreation WHERE ImagePath contains "OPSWAT" AND CommandLine contains unusual paths

📊 Metadata

CVE ID: CVE-2023-36658

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-428

Published: September 15, 2023

Last Updated: November 21, 2024

🔗 References

https://docs.opswat.com/mdkiosk Product,Release Notes
https://docs.opswat.com/mdkiosk/release-notes/cve-2023-36658 Release Notes,Vendor Advisory
https://docs.opswat.com/mdkiosk Product,Release Notes
https://docs.opswat.com/mdkiosk/release-notes/cve-2023-36658 Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-36658, you might also want to check these: