Executive Summary
Several vulnerabilities of a similar nature were discovered in the Netwrix Auditor component that performs data collection from Windows servers, an older version of the component that performs data collection from file systems (only available through support), and the user activity recording component. These vulnerabilities may permit an unauthenticated attacker to remotely execute arbitrary code as an administrator on the Netwrix Auditor server; and, if the User Activity data source is configured, on any system included in the data source configuration.
Separately, a vulnerability was discovered in the Netwrix Auditor data collector for Windows servers that results in Netwrix Auditor attempting to authenticate with all configured credentials on each system it scans, instead of just the credential required for each specific system. As a result of these authentication attempts, an attacker with administrative access to a system may be able to extract these credentials and use them to escalate privileges.
Updates
2023-07-14T15:30:00Z
A recent Cybersecurity and Infrastructure Security Agency (CISA) Cybersecurity Advisory includes additional IOCs that can be used to detect malicious activity. The evidence suggests the attacker is the same as we first advised of in October and December 2022.
2022-12-12T17:45:00Z
Citing “a small number of cases” observed by their threat detection solution, Talos, a threat intelligence company, published an update regarding a threat actor’s use of the vulnerability in Netwrix Auditor (CVE-2022-31199). This actor exploited this vulnerability to deploy malware known as Truebot. Truebot is used in the initial stages of an attack to download and deploy other malware such as ransomware or information stealers. Based on the evidence available from Talos, it appears that this is the same threat actor we discussed in this advisory’s previous update. Furthermore, the available evidence suggests that these Netwrix Auditor systems were all exposed to the internet.
2022-10-27T14:00:00Z
Netwrix has become aware of a threat actor’s unsuccessful attempt to compromise a Netwrix Auditor server through the exploitation of CVE-2022-31199. The server was inadvertently exposed to the internet. Netwrix remains unaware of any evidence of active exploitation of the other vulnerabilities described in this advisory. While Netwrix assesses the risk to its customers to be very low, out of an abundance of caution and consistent with best security practices Netwrix is publishing Indicators of Compromise (IOCs) collected by the affected customer and shared with us.
These IOCs may be used to proactively search for suspicious network connections and files that may indicate similar activity. Customers whose Netwrix Auditor systems are on a public network or otherwise exposed to the internet should conduct an investigation of their systems. Netwrix recommends implementing network-based segmentation and the use of an internal private network for Netwrix Auditor.
During an internal security review of the remediations, additional vectors of exploitation were discovered for the vulnerabilities “Remote Code Execution in Netwrix Auditor Windows Server Data Collector” and “Remote Code Execution in Netwrix Auditor Legacy Filesystem Data Collector.” Netwrix has released Netwrix Auditor version 10.5.10977.0, which includes remediation of these vectors. Netwrix Auditor customers are advised to update to version 10.5.10977.0 as soon as possible.
2022-07-14T14:00:00Z
Consistent with industry practice, the Bishop Fox security research team has published the technical details of CVE-2022-31199.
Acknowledgements
We thank Jordan Parkin of Bishop Fox for his coordinated disclosure of the vulnerability “Remote Code Execution in Netwrix Auditor User Activity Video Recording Component”, Daniel Granville for the discovery of the vulnerability “Exposed Credentials in Netwrix Auditor Windows Server Data Collector”, and both for their effort and partnership in improving the security of our products.
Vulnerability
| Affected Component | Affected Versions | CVSS 3.1 Score (base / temporal) | Title | Description |
|---|---|---|---|---|
| Netwrix Auditor User Activity Video Recording Component (CVE-2022-31199) | Prior to 10.5 | 10.0 / 9.0 | Remote Code Execution in Netwrix Auditor User Activity Video Recording Component | Remote code execution vulnerabilities exist in the Netwrix Auditor User Activity Video Recording component affecting both the Netwrix Auditor server and agents installed on monitored systems. The remote code execution vulnerabilities exist within the underlying protocol used by the component, and potentially allow an unauthenticated remote attacker to execute arbitrary code as the NT AUTHORITY\SYSTEM user on affected systems, including on systems Netwrix Auditor monitors. |
| Netwrix Auditor Windows Server Data Collector | Prior to 10.5 | 9.8 / 8.5 | Remote Code Execution in Netwrix Auditor Windows Server Data Collector | A remote code execution vulnerability in the Netwrix Auditor Windows Server Data Collector may allow an unauthenticated remote attacker to execute arbitrary code as the NT AUTHORITY\SYSTEM user on the Netwrix Auditor server. |
| Netwrix Auditor Legacy Filesystem Data Collector | Prior to 10.5 | 8.8 / 7.7 | Remote Code Execution in Netwrix Auditor Legacy Filesystem Data Collector | A remote code execution vulnerability in the Netwrix Auditor Legacy Filesystem Data Collector may allow an attacker to execute arbitrary code as the NT AUTHORITY\SYSTEM user on the Netwrix Auditor server, if the attacker is able to place a maliciously crafted file on a system scanned by Netwrix Auditor. |
| Netwrix Auditor Windows Server Data Collector | Prior to 10.5 | 8.2 / 7.1 | Exposed Credentials in Netwrix Auditor Windows Server Data Collector | In its default configuration, the Netwrix Auditor Windows Server Collector may expose credentials configured for a system to all other scanned systems. Therefore, an attacker with privileged access to a target system may be able to obtain credentials for other systems from memory. |
| Netwrix Auditor | Prior to 10.5 | 7.8 / 6.8 | Local Privilege Escalation in Netwrix Auditor | A local privilege escalation vulnerability in Netwrix Auditor may allow an attacker with low privileges to escalate their privileges to the NT AUTHORITY\SYSTEM user on the Netwrix Auditor server. |
Exploitability
Factors such as whether details about the vulnerability are publicly known, whether an exploit is readily available, or whether adversaries are actively exploiting the vulnerability are valuable in making risk-based judgements about urgency and priority; customers should use the information below in making those decisions.
| Title | Publicly known? | Exploit available? | Actively exploited? |
|---|---|---|---|
| Remote Code Execution in Netwrix Auditor User Activity Video Recording Component | Yes | Yes | Yes |
| Remote Code Execution in Netwrix Auditor Windows Server Data Collector | No | No | No |
| Remote Code Execution in Netwrix Auditor Legacy Filesystem Data Collector | No | No | No |
| Exposed Credentials in Netwrix Auditor Windows Server Data Collector | No | No | No |
| Local Privilege Escalation in Netwrix Auditor | No | No | No |
Solution
All Netwrix Auditor customers are advised to update Netwrix Auditor to version 10.5 or later as soon as possible. Instructions for the upgrade process are available in the help center and in our knowledge base. Please contact the Netwrix technical support team should you need assistance.
Official Fixes
Updated software has been released containing official fixes as indicated in the table below.
| Title | Version |
|---|---|
| Remote Code Execution in Netwrix Auditor User Activity Video Recording Component | Netwrix Auditor 10.5.10936.0 |
| Remote Code Execution in Netwrix Auditor Windows Server Data Collector | Netwrix Auditor 10.5.10977.0 |
| Remote Code Execution in Netwrix Auditor Legacy Filesystem Data Collector | Netwrix Auditor 10.5.10977.0 |
| Exposed Credentials in Netwrix Auditor Windows Server Data Collector | Netwrix Auditor 10.5.10936.0 |
| Local Privilege Escalation in Netwrix Auditor | Netwrix Auditor 10.5.10936.0 |
FAQ
-
How do I know if I’m using a component affected by the vulnerabilities?
Remote Code Execution in Netwrix Auditor User Activity Video Recording Component - The Netwrix Auditor server is affected by this vulnerability regardless of usage of the User Activity data source. Systems included in the User Activity data source of a Monitoring Plan are affected by this vulnerability. In circumstances where automatic uninstallation of an agent failed, systems on which User Activity was collected at one time may be vulnerable.
Remote Code Execution in Netwrix Auditor Legacy Filesystem Data Collector - Customers who have enabled the “legacy filesystem data collector” under the advice of the Netwrix technical support team are affected by the vulnerability.
The remaining vulnerabilities affect all Netwrix Auditor customers regardless of configuration.
-
Are there any steps I need to take after I upgrade Netwrix Auditor?
When a system is added to the User Activity data source in a Monitoring Plan, Netwrix Auditor silently deploys a lightweight agent to it. When Netwrix Auditor is upgraded these agents are also automatically upgraded. When a system is removed from a monitoring plan, Netwrix Auditor attempts to uninstall the agent. However, under some circumstances uninstallation may fail. As a result, older vulnerable agents may persist in the environment even after an upgrade.
Customers are advised to search their environment for installations of “Netwrix Auditor User Activity Core Service” with a version of less than 10.5 and uninstall them. We have released a script to help customers automate the process.
-
How do I determine the version of Netwrix Auditor?
To determine the version and build of your Netwrix Auditor instance, please visit this Knowledgebase Article or refer to the following steps:
- In your main Netwrix Auditor menu, click the Settings button.
- In the left pane, select About Netwrix Auditor.
- The current version and build will be available in the right section.
Indicators of Compromise
Netwrix recently learned of a threat actor’s attempt to exploit CVE-2022-31199 in an attempt to deploy a first stage payload (a downloader). These IOCs may be used to look for potentially suspicious activity.
Additional Indicators of Compromise are provided in Talos’ advisory.
IP Addresses
- 179[.]60[.]150[.]53
HTTP Requests
- http://179[.]60[.]150[.]53:80/download/msruntime.dll
Tactics
Files
- C:\ProgramData\msruntime.dll
SHA256: 55d1480cd023b74f10692c689b56e7fd6cc8139fb6322762181daead55a62b9e
Revisions
Updates to this advisory may be made as necessary. Information about each change will be published in the table below.
| Revision | Date | Description |
|---|---|---|
| 5 | 2023-07-14T15:30:00Z | Updated to reflect information from the CISA advisory |
| 4 | 2022-12-12T17:45:00Z | Updated to include information from Talos’ advisory |
| 3 | 2022-10-27T14:00:00Z | Updated to include indicators of compromise and release of updated patch version 10.5.10977.0 |
| 2 | 2022-06-14T14:00:00Z | Updated to reflect public disclosure of CVE-2022-31199 |
| 1 | 2022-06-06T14:00:00Z | First published |
Disclaimer
The information and materials included in or linked to this Security Advisory are provided on an “as-is” basis and without warranty of any kind, and we disclaim all representations and warranties of any kind, whether express or implied, including warranties of merchantability and fitness for a particular use. You acknowledge and agree that your use of the information and materials included in or linked to this Security Advisory are at your own risk.