Executive Summary
Vulnerabilities were discovered in current and past versions of StealthINTERCEPT that, when chained, may allow an attacker to access administrative functions of StealthINTERCEPT or execute arbitrary code on the StealthINTERCEPT Enterprise Manager server. When the infrequently used StealthINTERCEPT Auto Deploy feature is enabled, an attacker may also be able to obtain credentials for or execute code on Active Directory domain controllers.
In StealthINTERCEPT versions prior to 7.0, successful exploitation of a vulnerability chain does not require authentication. For StealthINTERCEPT versions 7.0 or later, successful exploitation of a vulnerability chain requires that the attacker have also compromised a StealthINTERCEPT authentication secret.
Stealthbits is unaware of any evidence of active exploitation of any of these vulnerabilities, or that the details of any these vulnerabilities are known publicly.
Updates
2024-09-04T17:00:00Z
Netwrix has announced the complete remediation of the vulnerabilities NXV-2021-0001, NXV-2021-0002, NXV-2021-0003, and NXV-2021-0004 in Netwrix Threat Prevention (formerly StealthINTERCEPT) version 7.4.0. More information about this update is available in security advisory ADV-2024-003.
Acknowledgements
We thank Ron Lifinski and Pavel Jirout for their effort and partnership in improving the security of our products.
Vulnerability
| Identifier | Product | Affected Versions | CVSS 3.1 Score (base / temporal) | Title | Description |
|---|---|---|---|---|---|
| NXV-2021-0001 | StealthINTERCEPT Enterprise Manager | <7.0 | 9.8 (8.9) | Improper implementation of authentication in StealthINTERCEPT | Administrative functions in StealthINTERCEPT Enterprise Manager may be remotely accessed by an unauthenticated attacker. |
| >=7.0 | 7.2 (6.5) | ||||
| NXV-2021-0002 | StealthINTERCEPT Enterprise Manager | <7.0 | 9.8 (8.9) | Improper implementation of authorization in StealthINTERCEPT Enterprise Manager | Use of client-side authorization in StealthINTERCEPT Enterprise Manager may allow an unprivileged remote attacker to escalate privileges. |
| >=7.0 | 7.2 (6.5) | ||||
| NXV-2021-0003 | StealthINTERCEPT Enterprise Manager | <7.0 | 9.8 (8.9) | Remote code execution in StealthINTERCEPT Enterprise Manager | A remote code execution vulnerability in StealthINTERCEPT Enterprise Manager may allow an attacker to execute arbitrary code as SYSTEM on the StealthINTERCEPT Enterprise Manager. |
| >=7.0 | 7.2 (6.5) | ||||
| NXV-2021-0004 | StealthINTERCEPT Enterprise Manager | <7.0 | 9.6 (8.7) | Remote code execution in StealthINTERCEPT Enterprise Manager | A remote code execution vulnerability in StealthINTERCEPT Enterprise Manager may allow an attacker to execute arbitrary code on a domain controller when the Auto Deploy feature is enabled. |
| >=7.0 <7.3.5 | 8.4 (7.6) | ||||
| NXV-2021-0005 | StealthINTERCEPT Enterprise Manager | <7.0 | 10.0 (9.1) | Remote privilege escalation in StealthINTERCEPT Enterprise Manager | A remote privilege escalation vulnerability in StealthINTERCEPT Enterprise Manager may allow an attacker to compromise stored credentials, including those of a domain administrator when the Auto Deploy feature is enabled. |
| >=7.0 <7.3.5 | 9.1 (8.3) | ||||
| NXV-2021-0006 | StealthINTERCEPT Enterprise Manager and Agent | >=7.0 <7.3.5 | 5.7 (5.1) | Insufficiently protected credentials in StealthINTERCEPT | StealthINTERCEPT’s auto security mode requires that an encryption key be shared with Enterprise Manager and all agents. The process of copying this key may leave it unprotected, enabling an attacker to compromise this encryption key. |
| NXV-2021-0007 | StealthINTERCEPT Agent | <7.0 | 6.5 (5.9) | Unauthenticated remote bypass of security hardening | In StealthINTERCEPT agent versions prior to 7.0 an attacker may be able to remotely disable the agent hardening feature, permitting them to stop or uninstall the StealthINTERCEPT agent. |
Exploitability
Factors such as whether details about the vulnerability are publicly known, whether an exploit is readily available, or whether adversaries are actively exploiting the vulnerability are valuable in making risk-based judgements about urgency and priority; customers should use the information below in making those decisions.
| Identifier | Title | Publicly known? | Exploit available? | Actively exploited? |
|---|---|---|---|---|
| NXV-2021-0001 | Improper implementation of authentication in StealthINTERCEPT | No | No | No |
| NXV-2021-0002 | Improper implementation of authorization in StealthINTERCEPT Enterprise Manager | No | No | No |
| NXV-2021-0003 | Remote code execution in StealthINTERCEPT Enterprise Manager | No | No | No |
| NXV-2021-0004 | Remote code execution in StealthINTERCEPT Enterprise Manager | No | No | No |
| NXV-2021-0005 | Remote privilege escalation in StealthINTERCEPT Enterprise Manager | No | No | No |
| NXV-2021-0006 | Insufficiently protected credentials in StealthINTERCEPT Enterprise Manager and Agent | No | No | No |
| NXV-2021-0007 | Unauthenticated remote bypass of security hardening | No | No | No |
Solution
All customers are advised to follow the following steps:
-
All StealthINTERCEPT customers, particularly those running a version of StealthINTERCEPT earlier than 7.0, are advised to upgrade to StealthINTERCEPT 7.3.5 as soon as possible.
-
After uninstalling the prior StealthINTERCEPT version and before upgrading to StealthINTERCEPT 7.3.5, customers are advised to change the passwords for the StealthINTERCEPT database user. If the associated functionality is enabled, after upgrading to StealthINTERCEPT 7.3.5, customers should also change the passwords for the Auto Deploy user, the SMTP notification user, and the StealthDEFEND Event Sink API key.
-
Implement StealthINTERCEPT security best practices.
Workarounds
Temporary workarounds, until the solution is applied, may be deployed to mitigate the causes and effects of the vulnerabilities.
- Customers, particularly those running a version of StealthINTERCEPT prior to 7.0 or who cannot upgrade immediately, are advised to use a host-based firewall to temporarily limit network access to StealthINTERCEPT Enterprise Manager. We have a released a tool to automate this process for customers using the host-based Windows Firewall.
Official fixes
Updated software has been released containing official fixes as indicated in the table below.
| Identifier | Title | Version |
|---|---|---|
| NXV-2021-0001 | Improper implementation of authentication in StealthINTERCEPT | Netwrix Threat Manager (formerly StealthINTERCEPT) 7.4.0 |
| NXV-2021-0002 | Improper implementation of authorization in StealthINTERCEPT Enterprise Manager | Netwrix Threat Manager (formerly StealthINTERCEPT) 7.4.0 |
| NXV-2021-0003 | Remote code execution in StealthINTERCEPT Enterprise Manager | Netwrix Threat Manager (formerly StealthINTERCEPT) 7.4.0 |
| NXV-2021-0004 | Remote code execution in StealthINTERCEPT Enterprise Manager | Netwrix Threat Manager (formerly StealthINTERCEPT) 7.4.0 |
| NXV-2021-0005 | Remote privilege escalation in StealthINTERCEPT Enterprise Manager | StealthINTERCEPT 7.3.5 |
| NXV-2021-0006 | Insufficiently protected credentials in StealthINTERCEPT Enterprise Manager and Agent | StealthINTERCEPT 7.3.5 |
| NXV-2021-0007 | Unauthenticated remote bypass of security hardening | StealthINTERCEPT 7.0.1 |
FAQ
Frequently asked questions:
-
Why are the severity ratings so different for StealthINTERCEPT versions prior to 7.0?
Changes to the network protocol architecture and technology in StealthINTERCEPT version 7.0 greatly improved security and performance. In version 7.0 and later, all components use TLS-based mutual authentication when communicating with each other. Thus, StealthINTERCEPT versions 7.0 and later include another requirement an attacker must satisfy to successfully exploit these vulnerabilities. -
Can an attacker use these vulnerabilities to compromise Active Directory?
The infrequently used Auto Deploy feature, which automatically deploys agents to new domain controllers, increases a customer’s risk from these vulnerabilities. By chaining several of these vulnerabilities together, an adversary may be able to compromise the stored domain administrator credential or configure the Auto Deploy feature to push a program under their control to domain controllers. -
Why are only interim fixes available for several of the vulnerabilities?
Because of the availability of interim fixes that greatly reduce the risk to our customers, we chose to issue this advisory and make those interim fixes available while we continue to work on final remediation. -
How do the interim fixes reduce my risk from these vulnerabilities?
The interim fixes eliminate the possibility that an attacker can communicate with the vulnerable parts of StealthINTERCEPT Enterprise Manager over the network. In order to exploit these vulnerabilities, in version 7.3.5 and later, an attacker would first have to compromise the server running the StealthINTERCEPT application itself.
Revisions
Updates to this advisory may be made as necessary. Information about each change will be published in the table below.
| Revision | Date | Description |
|---|---|---|
| 2 | 2024-09-04T17:00:00Z | Updated to reflect completed remediation |
| 1 | 2021-10-06T13:00:00Z | First published |
Disclaimer
The information and materials included in or linked to this Security Advisory are provided on an “as-is” basis and without warranty of any kind, and we disclaim all representations and warranties of any kind, whether express or implied, including warranties of merchantability and fitness for a particular use. You acknowledge and agree that your use of the information and materials included in or linked to this Security Advisory are at your own risk.