Headline
CVE-2022-31199: Netwrix Auditor Application Critical Vulnerability Advisory
Remote code execution vulnerabilities exist in the Netwrix Auditor User Activity Video Recording component affecting both the Netwrix Auditor server and agents installed on monitored systems. The remote code execution vulnerabilities exist within the underlying protocol used by the component, and potentially allow an unauthenticated remote attacker to execute arbitrary code as the NT AUTHORITY\SYSTEM user on affected systems, including on systems Netwrix Auditor monitors.
NETWRIX AUDITOR ADVISORY SUMMARY
The following document describes identified vulnerabilities in the Netwrix Auditor application in supported versions prior to 10.5.
Product Vendor
Netwrix
Product Description
Auditor is IT auditing software used to track assets within an organization. The product’s official website is https://www.netwrix.com/auditor.html. The latest version of the application is 10.5, released on June 6, 2022.
Vulnerabilities List
1 vulnerability was identified within the Netwrix Auditor application:
- Insecure Object Deserialization
These vulnerabilities are described in the following sections.
Affected Version
All supported versions prior to 10.5
Summary of Findings
The Netwrix Auditor application is affected by an insecure object deserialization issue that allows an attacker to execute arbitrary code with the privileges of the affected service. This issue is caused by an unsecured .NET remoting port accessible on TCP port 9004.
Impact
An attacker can use this issue to achieve arbitrary code execution on servers running Netwrix Auditor. Since this service is typically executed with extensive privileges in an Active Directory environment, the attacker would likely be able to compromise the Active Directory domain.
Solution
Update to version 10.5
Insecure Object Deserialization
Netwrix Auditor is vulnerable to an insecure object deserialization issue that is caused by an unsecured .NET remoting service. An attacker can submit arbitrary objects to the application through this service to achieve remote code execution on Netwrix Auditor servers.
Vulnerability Details
CVE ID: Pending
Vulnerability Type: Insecure Object Deserialization
Access Vector: ☒ Remote, ☐ Local, ☐ Physical, ☐ Context dependent, ☐ Other (if other, please specify)
Impact: ☒ Code execution, ☐ Denial of service, ☒ Escalation of privileges, ☐ Information disclosure, ☐ Other (if other, please specify)
Security Risk: ☒ Critical, ☐ High, ☐ Medium, ☐ Low
Vulnerability: CWE-502
The Netwrix Auditor application is affected by an insecure object deserialization issue that allows an attacker to execute arbitrary code with the privileges of the affected service. In a typical real-world scenario, Netwrix Auditor services would be running with a highly privileged account, which could lead to full compromise of the Active Directory environment.
This issue was discovered by performing a TCP port scan of a Netwrix Auditor server using the tool nmap. As the following output demonstrates, the Netwrix server had a .NET remoting service available on TCP port 9004:
FIGURE 1 -Scanning for services on Netwrix server
The netstat and tasklist commands were used on the Netwrix server to find out which process was exposing the .NET remoting service:
FIGURE 2 – Identifying the .NET remoting service
Analyzing the .NET remoting service revealed that it could be accessed with the UAVRServer endpoint. The ysoserial.net tool was used to generate a serialized object designed to execute the command whoami on the server under the context of UAVRServer.exe:
FIGURE 3 – Generating a serialized object
The ExploitRemotingService tool was then used to send the serialized object to the UAVRServer service over .NET remoting. The resulting exception was an indicator that the payload was executed successfully:
FIGURE 4 – Sending the malicious object to the UAVRServer service
Logging onto the server and inspecting the contents of C:\temp\out.txt showed that the command was executed successfully:
FIGURE 5 – Code executed through the .NET remoting service
Since the command was executed with NT AUTHORITY\system privileges, exploiting this issue would allow an attacker to fully compromise the Netwrix server.
Related news
Categories: News Categories: Ransomware Tags: TrueBot Tags: Cl0p Tags: Silence Group Tags: CVE-2022-31199 Tags: Raspberry Robin Tags: FlawedGrace Tags: Cobalt Strike Tags: Teleport CISA, the FBI, the MS-ISAC, and the CCCS have warned about increased activity of the TrueBot malware in the US and Canada. (Read more...) The post Warning issued over increased activity of TrueBot malware appeared first on Malwarebytes Labs.
US and Canadian government agencies find that new variants of the malware are increasingly being utilized.
Cybersecurity agencies have warned about the emergence of new variants of the TrueBot malware. This enhanced threat is now targeting companies in the U.S. and Canada with the intention of extracting confidential data from infiltrated systems. These sophisticated attacks exploit a critical vulnerability (CVE-2022-31199) in the widely used Netwrix Auditor server and its associated agents. This
A surge in TrueBot activity was observed in May 2023, cybersecurity researchers disclosed. "TrueBot is a downloader trojan botnet that uses command and control servers to collect information on compromised systems and uses that compromised system as a launching point for further attacks," VMware's Fae Carlisle said. Active since at least 2017, TrueBot is linked to a group known as Silence that's
Categories: News Categories: Ransomware Tags: Silence Tags: TA505 Tags: Clop ransomware Tags: Truebot Tags: Grace Tags: Cobalt Strike Tags: Teleport Tags: FIN11 Researchers have identified two new Truebot botnets that are using new versions of the Truebot downloader Trojan to infiltrate and explore a target's network. (Read more...) The post Silence is golden partner for Truebot and Clop ransomware appeared first on Malwarebytes Labs.
Cybersecurity researchers have reported an increase in TrueBot infections, primarily targeting Mexico, Brazil, Pakistan, and the U.S. Cisco Talos said the attackers behind the operation have moved from using malicious emails to alternative delivery methods such as the exploitation of a now-patched remote code execution (RCE) flaw in Netwrix auditor as well as the Raspberry Robin worm. "
Since August 2022, we have seen an increase in infections of Truebot (aka Silence.Downloader) malware. Truebot was first identified in 2017 and researchers have linked it to a threat actor called Silence Group that is responsible for several high-impact attacks on financial institutions in several countries around the world.