Executive Summary
As part of its secure development practices, Netwrix contracted a third-party to conduct a penetration test against Netwrix SbPAM. This penetration test discovered several vulnerabilities including access control and cryptography weaknesses that may allow an attacker to access administrative functions or sensitive information.
Netwrix is unaware of any evidence of active exploitation of any of these vulnerabilities, or that the details of any these vulnerabilities are known publicly.
Vulnerability
| Component | Affected Versions | CVSS 3.1 Score (base / temporal) | Title | Description |
|---|---|---|---|---|
| Netwrix SbPAM Server | <3.6 | 8.8 (7.7) | Use of client-side authorization verification in Netwrix SbPAM | The password for the account used in a Netwrix SbPAM session was always returned in the API response regardless of the “Allow User to View Password” policy setting. An attacker with access to the client browser could therefore obtain the connection password despite the lack of user interface elements permitting it. |
| Netwrix SbPAM Server | <3.6 | 8.8 (7.7) | Improper implementation of authorization verification in Netwrix SbPAM | Several Netwrix SbPAM API endpoints did not correctly implement authorization checks, potentially allowing a low-privileged user access to sensitive administrative functions. |
| Netwrix SbPAM Server | <3.6 | 8.3 (7.2) | Use of a hard-coded encryption key in Netwrix SbPAM | Netwrix SbPAM utilized a hard-coded encryption key to encrypt sensitive information on the SbPAM server and in the database. Thus, an attacker with access to an SbPAM deployment and knowledge of this key could decrypt sensitive information, including credentials stored by SbPAM. |
| Netwrix SbPAM Server | <3.6 | 8.2 (7.1) | Improper implementation of authentication verification in Netwrix SbPAM | A Netwrix SbPAM API endpoint that is part of the built-in access certification workflow did not correctly verify whether a user was authenticated, potentially allowing an attacker to abuse the API endpoint to affect the outcome of an access certification review. |
| Netwrix SbPAM Proxy | <3.6 | 6.8 (5.9) | Session expiration bybass in Netwrix SbPAM Proxy | By manipulating the WinRM process on the target system of a Netwrix SbPAM session an attacker could force the session to persist past its expiration. |
| Netwrix SbPAM Server | <3.6 | 6.5 (5.7) | Sensitive information disclosure in Netwrix SbPAM | An API endpoint in Netwrix SbPAM disclosed sensitive information pertaining to the product infrastructure that may have been useful to an attacker. |
| Netwrix SbPAM Server | <3.6 | 5.4 (4.7) | Partial second-factor authentication bypass in Netwrix SbPAM | Several API endpoints in Netwrix SbPAM did not correctly enforce two-factor authentication validation, allowing an attacker to successfully authenticate to them with an interim authentication token. |
Exploitability
Factors such as whether details about the vulnerability are publicly known, whether an exploit is readily available, or whether adversaries are actively exploiting the vulnerability are valuable in making risk-based judgements about urgency and priority; customers should use the information below in making those decisions.
| Title | Publicly known? | Exploit available? | Actively exploited? |
|---|---|---|---|
| Use of client-side authorization verification in Netwrix SbPAM | No | No | No |
| Incorrect implementation of authorization verification in Netwrix SbPAM | No | No | No |
| Use of a hard-coded encryption key in Netwrix SbPAM | No | No | No |
| Incorrect implementation of authentication verification in Netwrix SbPAM | No | No | No |
| Session expiration bybass in Netwrix SbPAM Proxy | No | No | No |
| Sensitive information disclosure in Netwrix SbPAM | No | No | No |
| Partial second-factor authentication bypass in Netwrix SbPAM | No | No | No |
Solution
All Netwrix SbPAM customers are advised to update Netwrix SbPAM to version 3.6 or later as soon as possible.
Official fixes
Updated software has been released containing official fixes as indicated in the table below.
| Title | Version |
|---|---|
| Use of client-side authorization verification in Netwrix SbPAM | Netwrix SbPAM 3.6.2115.0 |
| Incorrect implementation of authorization verification in Netwrix SbPAM | Netwrix SbPAM 3.6.2115.0 |
| Use of a hard-coded encryption key in Netwrix SbPAM | Netwrix SbPAM 3.6.2115.0 |
| Improper implementation of authentication in StealthINTERCEPT | Netwrix SbPAM 3.6.2115.0 |
| Session expiration bybass in Netwrix SbPAM Proxy | Netwrix SbPAM 3.6.2115.0 |
| Sensitive information disclosure in Netwrix SbPAM | Netwrix SbPAM 3.6.2115.0 |
| Partial second-factor authentication bypass in Netwrix SbPAM | Netwrix SbPAM 3.6.2115.0 |
FAQ
Frequently asked questions:
- Are there specific steps I need to take as part of upgrading Netwrix SbPAM?
As part of the upgrade process, the Netwrix SbPAM installer will complete a mandatory encryption key rotation. Customers who are running Netwrix SbPAM in high-availability mode or use distributed Action Service or Proxy components should refer to this guide before beginning their upgrade.
Revisions
Updates to this advisory may be made as necessary. Information about each change will be published in the table below.
| Revision | Date | Description |
|---|---|---|
| 1 | 2022-05-02T14:00:00Z | First published |
Disclaimer
The information and materials included in or linked to this Security Advisory are provided on an “as-is” basis and without warranty of any kind, and we disclaim all representations and warranties of any kind, whether express or implied, including warranties of merchantability and fitness for a particular use. You acknowledge and agree that your use of the information and materials included in or linked to this Security Advisory are at your own risk.