CVE-2022-31199: Netwrix Auditor Application Critical Vulnerability Advisory

NETWRIX AUDITOR ADVISORY SUMMARY

The following document describes identified vulnerabilities in the Netwrix Auditor application in supported versions prior to 10.5.

Product Vendor

Netwrix

Product Description

Auditor is IT auditing software used to track assets within an organization. The product’s official website is https://www.netwrix.com/auditor.html. The latest version of the application is 10.5, released on June 6, 2022.

Vulnerabilities List

1 vulnerability was identified within the Netwrix Auditor application:

• Insecure Object Deserialization

These vulnerabilities are described in the following sections.

Affected Version

All supported versions prior to 10.5

Summary of Findings

The Netwrix Auditor application is affected by an insecure object deserialization issue that allows an attacker to execute arbitrary code with the privileges of the affected service. This issue is caused by an unsecured .NET remoting port accessible on TCP port 9004.

Impact

An attacker can use this issue to achieve arbitrary code execution on servers running Netwrix Auditor. Since this service is typically executed with extensive privileges in an Active Directory environment, the attacker would likely be able to compromise the Active Directory domain.

Solution

Update to version 10.5

Insecure Object Deserialization

Netwrix Auditor is vulnerable to an insecure object deserialization issue that is caused by an unsecured .NET remoting service. An attacker can submit arbitrary objects to the application through this service to achieve remote code execution on Netwrix Auditor servers.

Vulnerability Details

CVE ID: Pending

Vulnerability Type: Insecure Object Deserialization

Access Vector: ☒ Remote, ☐ Local, ☐ Physical, ☐ Context dependent, ☐ Other (if other, please specify)

Impact: ☒ Code execution, ☐ Denial of service, ☒ Escalation of privileges, ☐ Information disclosure, ☐ Other (if other, please specify)

Security Risk: ☒ Critical, ☐ High, ☐ Medium, ☐ Low

Vulnerability: CWE-502

The Netwrix Auditor application is affected by an insecure object deserialization issue that allows an attacker to execute arbitrary code with the privileges of the affected service. In a typical real-world scenario, Netwrix Auditor services would be running with a highly privileged account, which could lead to full compromise of the Active Directory environment.

This issue was discovered by performing a TCP port scan of a Netwrix Auditor server using the tool nmap. As the following output demonstrates, the Netwrix server had a .NET remoting service available on TCP port 9004:

FIGURE 1 -Scanning for services on Netwrix server

The netstat and tasklist commands were used on the Netwrix server to find out which process was exposing the .NET remoting service:

FIGURE 2 – Identifying the .NET remoting service

Analyzing the .NET remoting service revealed that it could be accessed with the UAVRServer endpoint. The ysoserial.net tool was used to generate a serialized object designed to execute the command whoami on the server under the context of UAVRServer.exe:

FIGURE 3 – Generating a serialized object

The ExploitRemotingService tool was then used to send the serialized object to the UAVRServer service over .NET remoting. The resulting exception was an indicator that the payload was executed successfully:

FIGURE 4 – Sending the malicious object to the UAVRServer service

Logging onto the server and inspecting the contents of C:\temp\out.txt showed that the command was executed successfully:

FIGURE 5 – Code executed through the .NET remoting service

Since the command was executed with NT AUTHORITY\system privileges, exploiting this issue would allow an attacker to fully compromise the Netwrix server.