CVE-2020-36934 Overview
CVE-2020-36934 is an unquoted service path vulnerability affecting Deep Instinct Windows Agent version 1.2.24.0. The vulnerability exists in the DeepNetworkService component, which is integrated into HP Sure Sense on HP EliteBook and ZBook systems. Local attackers can exploit the unquoted service path to potentially execute arbitrary code with elevated privileges when the service starts.
Critical Impact
Local privilege escalation to LocalSystem permissions through unquoted service path exploitation in DeepNetworkService
Affected Products
- Deep Instinct Windows Agent 1.2.24.0
- HP Sure Sense (integrating Deep Instinct Windows Agent)
- HP EliteBook and ZBook systems with HP Sure Sense enabled
Discovery Timeline
- 2026-01-25 - CVE-2020-36934 published to NVD
- 2026-01-26 - Last updated in NVD database
Technical Details for CVE-2020-36934
Vulnerability Analysis
This vulnerability is classified under CWE-428 (Unquoted Search Path or Element). The Deep Instinct Windows Agent installs the DeepNetworkService with an unquoted service path at C:\Program Files\HP Sure Sense\DeepNetworkService.exe. When Windows attempts to start this service, it parses the path by interpreting spaces as argument delimiters if the path is not properly quoted.
The service runs with LocalSystem privileges, which represents the highest privilege level on Windows systems. An attacker with local access who can write to specific locations in the path hierarchy can place a malicious executable that Windows will execute instead of the intended service binary.
Root Cause
The root cause stems from improper service installation configuration where the ImagePath registry value for the DeepNetworkService is not enclosed in quotation marks. Windows service path handling has a documented behavior where unquoted paths containing spaces are parsed sequentially, checking for executables at each space-delimited segment.
For the path C:\Program Files\HP Sure Sense\DeepNetworkService.exe, Windows will attempt to execute in the following order:
- C:\Program.exe
- C:\Program Files\HP.exe
- C:\Program Files\HP Sure.exe
- C:\Program Files\HP Sure Sense\DeepNetworkService.exe
Attack Vector
The attack vector is local, requiring an authenticated attacker with write access to the root of the C: drive or intermediate directories. The attacker places a malicious executable named Program.exe at C:\ or HP.exe at C:\Program Files\. When the DeepNetworkService is started (either manually, at system boot, or through service recovery), Windows executes the attacker's malicious binary with LocalSystem privileges instead of the legitimate service executable.
This privilege escalation attack is particularly effective because:
- The service runs as LocalSystem with unrestricted access
- Service restarts can be triggered by system reboots or service failures
- The malicious executable inherits the security context of the service
Technical details and proof-of-concept information are available through the Exploit-DB #49020 entry and the VulnCheck Advisory.
Detection Methods for CVE-2020-36934
Indicators of Compromise
- Presence of unexpected executables named Program.exe, HP.exe, or Sure.exe in C:\ or C:\Program Files\
- Suspicious process execution with LocalSystem privileges originating from non-standard paths
- Unexpected child processes spawned by the DeepNetworkService
- Registry modifications to the DeepNetworkService ImagePath value
Detection Strategies
- Query Windows services for unquoted service paths using PowerShell: Get-WmiObject win32_service | Where-Object {$_.PathName -notlike '"*"' -and $_.PathName -like '* *'}
- Monitor file creation events in C:\ and C:\Program Files\ directories for executables matching exploitation patterns
- Implement endpoint detection rules for process creation from service context with suspicious parent-child relationships
- Audit service registry keys under HKLM\SYSTEM\CurrentControlSet\Services\DeepNetworkService for ImagePath values
Monitoring Recommendations
- Enable Windows Security Event Log auditing for process creation (Event ID 4688) with command line logging
- Configure file integrity monitoring on the root directory and Program Files folders
- Implement behavioral monitoring for privilege escalation patterns targeting Windows services
- Monitor for service restarts and failures that could indicate exploitation attempts
How to Mitigate CVE-2020-36934
Immediate Actions Required
- Verify the DeepNetworkService installation and check if the ImagePath is properly quoted in the registry
- Restrict write permissions on C:\ and C:\Program Files\ directories to administrative users only
- Audit existing systems for malicious executables that match exploitation patterns (Program.exe, HP.exe, Sure.exe)
- Consider temporarily disabling the DeepNetworkService if not actively required until a patch is applied
Patch Information
Contact Deep Instinct for updated agent software that properly quotes the service path during installation. Review the VulnCheck Advisory for the latest remediation guidance. For HP Sure Sense deployments, consult HP support for firmware or software updates that address this vulnerability.
Workarounds
- Manually quote the service path in the registry by modifying HKLM\SYSTEM\CurrentControlSet\Services\DeepNetworkService\ImagePath to include quotation marks around the full path
- Implement Windows AppLocker or Software Restriction Policies to prevent unauthorized executable execution from root directories
- Apply principle of least privilege to limit which users have write access to system directories
- Enable Windows Defender Credential Guard and other security features to limit the impact of privilege escalation
# PowerShell command to fix unquoted service path
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\DeepNetworkService" -Name "ImagePath" -Value '"C:\Program Files\HP Sure Sense\DeepNetworkService.exe"'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
