The Netwrix Auditor software contains a particularly dangerous security flaw, as it allows an attacker to compromise the Active Directory. The good news is that the publisher Netwrix has already patched this vulnerability.
The publisher Netwrix offers software for companies, in particular to monitor the activity of different environments such as an Active Directory or a file server. In its software catalog there is Netwrix Auditor, one of Netwrix’s flagship software used to date by more than 11,500 organizations in 100 countries. Very large companies use Netwrix solutions.
Discovered by the Bishop Fox team, in particular Jordan Parkin, during a TCP scan carried out with NMAP on a Netwrix Auditor server, this security bug is considered critical. Bishop Fox’s team says: “The Netwrix Auditor application is affected by an insecure object deserialization issue that allows an attacker to execute arbitrary code with the privileges of the affected service. This issue is caused by an insecure .NET port remoting accessible on TCP port 9004.“. Which explains this discovery during an NMAP scan.
They also state that:In a typical real-world scenario, Netwrix Auditor services would run under an elevated account, which could lead to a complete compromise of the Active Directory environment.– Bishop Fox’s online report provides additional technical details on the exploitation and operation of this security flaw.
The vulnerability affects all supported versions of Netwrix Auditor before version 10.5. In effect, available since June 6, 2022, Netwrix Auditor 10.5 is the software version that fixes this security flaw even if it is not highlighted at all in the “changelog” of this new version.
If you are using Netwrix Auditor, you should install the update immediately to protect against this security flaw.
Source