On June 6th, 2022, Netwrix released Auditor v10.5. In this version, a remote code execution vulnerability is addressed. Since Auditor is typically executed with extensive privileges in an Active Directory environment, an attacker would be able to compromise the Active Directory forest and/or Azure AD tenant.
Netwrix empowers information security and governance professionals to reclaim control over sensitive, regulated and business-critical data, regardless of where it resides.
Over 10,000 organizations worldwide rely on Netwrix solutions to secure sensitive data, realize the full business value of enterprise content, pass compliance audits with less effort and expense, and increase the productivity of IT teams and knowledge workers. Founded in 2006, Netwrix has earned more than 150 industry awards and been named to both the Inc. 5000 and Deloitte Technology Fast 500 lists of the fastest growing companies in the U.S.
About the vulnerability
A vulnerability exists in an unsecured .NET remoting service that's accessible on TCP port 9004 of the Windows Server on which Netwrix Auditor is installed. This service running on this port (among other ports) allows for core communications between the Domain Controllers (and other monitored systems, services and/or applications) and the Windows Server running Netwrix Auditor.
An insecure object deserialization issue in this service allows for remote code execution in the context of the Netwrix Auditor service, that runs as SYSTEM on the Windows Server. The vulnerability is present in all supported versions of Netwrix Auditor prior to version 10.5.
Depending on the systems, services and/or applications configured for monitoring with Auditor, malicious commands can be issued toward these monitored resourced. Typically, file servers, Exchange servers, Azure AD and Active Directory are monitored resources. Of these resources, Active Directory and Azure AD are the most critical.
About Auditor's AD Permissions
For Netwrix Auditor to perform its Active Directory monitoring, typically only read permissions are required throughout the Active Directory forest. The Write Members permission can also be delegated. Netwrix Auditor and the Netwrix Access Information Center it feeds therefore allow for least administrative privileges to be applied.
In terms of a data leak, this means that in a sufficiently managed environment, an attacker could read all personal information for user accounts in Active Directory. However, in environments where the recommended practice of applying least administrative privileges has not been followed, you may expect a member of theDomain Admins and/or Enterprise Admins group to function as the Netwrix AD service account. In the latter case, compromise of the Active Directory forest is possible.
About Auditor's Azure AD Permissions
For Netwrix Auditor to perform its Azure AD monitoring, typically the following permissions are assigned to an application registration for Netwrix Auditor within Azure AD:
In terms of a data leak, this means that in a sufficiently managed environment, an attacker could read all personal information for user accounts in Azure AD. However, Directory.Read.All also provides read permissions on multi-factor authentication information for people within the organization. This information could be used in attacks in combination with SIM swapping and other means of compromising multi-factor authentication as a security method.
I urge you to update any Netwrix Auditor installations within your networking environments to version 10.5.
On a more personal note
I work with Netwrix, as their Active Directory and Azure AD solutions are generally awesome. Therefore, I feel it's also my responsibility to notify you of any issues with the solutions, as pointed out above. All software contains bugs. Having issues does not mean the software is bad, it means that people are genuinely concerned with the software they use and any bugs they may have.
New Netwrix Auditor Bug Could Let Attackers Compromise Active Directory Domain
Netwrix Auditor Advisory