A Tenable finding involving the ControlUp Agent Manager Service was discussed. A new agent manager was built and tested in order to address the issue. A link to the new agent manager was provided, and one member offered to test it out. A user also asked if the permission change was necessary, and the new version of the agent manager showed that the issue was fixed. The agent manager was eventually to be deployed within 24 hours. The Tenable finding was requested to be rerun to confirm if it was resolved.
Read the entire ‘Addressing a Tenable Finding for ControlUp Agent Manager Service at ControlUp’ thread below:
I have a Tenable finding guys and I’m not sure how to go about this…. I post here to benefit others who may have the same issue…
https://www.tenable.com/plugins/nessus/44676
SMB Insecurely Configured Service
I’m told our "ControlUp Agent Manager" Service has "Everyone: DC"
As far as I know the installer configures this at install. I don’t recall specifying this one way or another.
I have ran (sc.exe sdshow ‘ControlUp Agent Manager’) and have the output but it’s gibberish to me. How do I remediate this for all the endpoints and ensure that new installs do not fall into this issue?
maybe try Sysinternals PsTools
SERVICE_NAME: ControlUp Agent Manager
DISPLAY_NAME: ControlUp Agent Manager
ACCOUNT: LocalSystem
SECURITY:
[ALLOW] Everyone
Query status
Query Config
Change Config
Interrogate
Enumerate Dependents
Pause/Resume
Start
Stop
User-Defined Control
[ALLOW] NT AUTHORITY\SYSTEM
Query status
Query Config
Interrogate
Enumerate Dependents
Pause/Resume
Start
Stop
User-Defined Control
Read Permissions
[ALLOW] BUILTIN\Administrators
All
[ALLOW] NT AUTHORITY\INTERACTIVE
Query status
Query Config
Interrogate
Enumerate Dependents
User-Defined Control
Read Permissions
[ALLOW] NT AUTHORITY\SERVICE
Query status
Query Config
Interrogate
Enumerate Dependents
User-Defined Control
Read Permissions
Reading the article I think it is talking about the binary itself.
> Nessus checked if any of the following groups have permissions to modify executable files that are started by Windows services
Where everyone:DC implies that everyone has delete and change
Which I believe translates into write and modify in the (more user friendly) Windows NTFS permission dialog
Which I can’t reproduce
I’m not sure what DC is as a permission mask though
But I’d take a look at the NTFS permissions set on "C:\Program Files\ControlUp\AgentManager\AgentManager.exe"
the NTFS Perms of the exe
SERVICE_NAME: ControlUp Agent Manager
DISPLAY_NAME: ControlUp Agent Manager
ACCOUNT: LocalSystem
SECURITY:
[ALLOW] Everyone
Query status
Query Config
Change Config
Interrogate
Enumerate Dependents
Pause/Resume
Start
Stop
User-Defined Control
[ALLOW] NT AUTHORITY\SYSTEM
Query status
Query Config
Interrogate
Enumerate Dependents
Pause/Resume
Start
Stop
User-Defined Control
Read Permissions
[ALLOW] BUILTIN\Administrators
All
[ALLOW] NT AUTHORITY\INTERACTIVE
Query status
Query Config
Interrogate
Enumerate Dependents
User-Defined Control
Read Permissions
[ALLOW] NT AUTHORITY\SERVICE
Query status
Query Config
Interrogate
Enumerate Dependents
User-Defined Control
Read Permissions
SERVICE_NAME: ControlUp Agent Manager
DISPLAY_NAME: ControlUp Agent Manager
ACCOUNT: LocalSystem
SECURITY:
[ALLOW] Everyone
Query status
Query Config
_Change Config_
Interrogate
Enumerate Dependents
Pause/Resume
Start
Stop
User-Defined Control
That Change Config i believe is the issue
Tenable has flagged all of our devices.
Is this permission required for the agent to function?
How can we alter the installer to not leave this open in future installs if it is not required?
We are building a new agent manager to address this, if you are able/willing to test.
Can you test this agent manager? https://downloads.sip.controlup.com/agentmanagersetup2.12.900.44347.msi
Procedure to upgrade:
• Uninstall the existing agent manager using add/remove programs
• Install the new agent manager
on it
uninstalled without issue
installed
SERVICE_NAME: ControlUp Agent Manager
DISPLAY_NAME: ControlUp Agent Manager
ACCOUNT: LocalSystem
SECURITY:
[ALLOW] Everyone
Query status
Query Config
Interrogate
Enumerate Dependents
Pause/Resume
Start
Stop
User-Defined Control
the entry is not there now
i’ll have our security check with tenable that this action had the desired outcome for them
thanks
its the sc sdshow "ControlUp Agent Manager" output Tenable has an issue with. Specifically A;;CCDCLCSWRPWPDTLOCR;;;WD the DC in there.
The new version has the following permissions.
A;;CCLCSWRPWPDTLOCR;;;WD
Note, no DC
hopefully this is something we can roll out behind the scenes via the tenant.
We’re asking 1 more customer to test. Once approved, it’ll be deployed within 24 hours. Unless you want to update manually
yeah that looks worse then deciphering linux permissions lol
It really does 🙂
nah if it goes without effort i’m happy lol
do i get a finder fee? 😄
some reddit silver lol
Are you able to rerun the Tenable finding? To confirm it is addressed?
in progress
Continue reading and comment on the thread ‘Addressing a Tenable Finding for ControlUp Agent Manager Service at ControlUp’. Not a member? Join Here!
Categories: All Archives, ControlUp Edge DX