CVE-2021-35056 in Stealth
Summary
by MITRE • 07/16/2021
Unisys Stealth 5.1 before 5.1.025.0 and 6.0 before 6.0.055.0 has an unquoted Windows search path for a scheduled task. An unintended executable might run.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/19/2021
The vulnerability identified as CVE-2021-35056 affects Unisys Stealth versions 5.1 prior to 5.1.025.0 and 6.0 prior to 6.0.055.0, representing a critical security flaw in the Windows operating system environment. This issue stems from an improperly configured Windows search path within a scheduled task, creating a privilege escalation vector that could allow malicious actors to execute unauthorized code with elevated privileges. The vulnerability specifically impacts the way Windows resolves executable paths when launching scheduled tasks, particularly within the Stealth application framework.
The technical flaw manifests through an unquoted Windows search path configuration where the system fails to properly quote path strings containing spaces or special characters. When Windows processes a scheduled task with an unquoted path, it follows a specific resolution order that searches through multiple directories in the system PATH environment variable. This behavior creates an opportunity for attackers to place malicious executables in directories that are searched before the intended target, effectively hijacking the execution flow. The vulnerability is classified under CWE-428, which describes the weakness of an unquoted search path, and aligns with ATT&CK technique T1059.001 for command and scripting interpreter execution.
The operational impact of this vulnerability extends beyond simple privilege escalation, as it can enable attackers to gain persistent access to compromised systems. The scheduled task in question likely runs with elevated privileges, making successful exploitation particularly dangerous. Attackers could leverage this vulnerability to deploy malware, establish backdoors, or maintain long-term access to target environments. The stealth nature of the Stealth application framework compounds the risk, as legitimate system processes may appear to be running normally while malicious code executes in the background. This vulnerability represents a significant concern for enterprise environments where Unisys Stealth is deployed, as it could provide attackers with a foothold for broader network infiltration.
Mitigation strategies should focus on immediate patching of affected versions, with the recommended approach being the installation of Unisys Stealth 5.1.025.0 or 6.0.055.0 releases. System administrators should also conduct thorough audits of scheduled tasks and their associated paths to ensure proper quoting of all executable paths. The implementation of application whitelisting policies and strict PATH environment variable controls can provide additional defense-in-depth measures. Security monitoring should include detection of anomalous scheduled task execution patterns and unauthorized modifications to system PATH variables. Organizations should also consider implementing principle of least privilege controls to limit the scope of potential exploitation, ensuring that scheduled tasks run with the minimum necessary privileges required for their legitimate function.