We had a Nessus finding internally regarding “Microsoft Windows Unquoted Service Path Enumeration”. More information about the vulnerability is here: https://www.commonexploits.com/unquoted-service-paths/
And the Nessus article is here: https://www.tenable.com/plugins/index.php?view=single&id=63155
I just happened to be setting up a Windows Service deployment step and noticed that when Octopus creates Windows Services, it does so without the quotes. Is this something that you expect to fix in a future release? Is there a way to work around this within Octopus? I’m guessing I’ll need to add a PowerShell script step to alter the execution path, but I’m hoping there is a work around I’ve overlooked. Thanks!
It looks like you may have stumbled across an issue that has come about as a result of an earlier fix made regarding quotes around paths. I have created a GitHub ticket to fix this problem. You can see where this missing quotes are in the open source Calamari project which is used by Octopus to execute the scripts on the Tentacles.
Because this path is resolved and used in the same script provided in the above link, there is not much you can do at the moment to work around it. Since this is a potential vulnerability I will raise it up with the team to get some priority on it.
Thanks for bringing this to our attention, Let me know if I can be of any further assistance.
Hey, thanks for this fix! I was able to retire my custom step template and revert back to a stock Windows Service installation.