Executive Summary
A sensitive data exposure vulnerability in Netwrix Auditor for Active Directory was discovered during an internal security review. Netwrix Auditor for Active Directory interrogates Active Directory for data it uses to provide detailed insights into the health and security of the directory. When a highly privileged account is used for collection, Netwrix Auditor inadvertently retrieved and stored within its audit data several sensitive data elements, including the Key Distribution Services KDS Root Key which is used in the generation and validation of passwords for Group Managed Service Accounts (gMSA).
This sensitive data is no longer retrieved by the Netwrix Auditor Active Directory Collector in version 10.6.
Vulnerability
| Affected Component | Affected Versions | CVSS 3.1 Score (base / temporal) | Title | Description |
|---|---|---|---|---|
| Netwrix Auditor Active Directory Collector | Prior to 10.6 | 7.7 / 6.9 | Sensitive Data Exposure in Netwrix Auditor Active Directory Collector | When a highly privileged account is used for collection, Netwrix Auditor inadvertently retrieved and stored within its audit data several sensitive data elements, including the Key Distribution Services KDS Root Key which is used in the generation and validation of passwords for Group Managed Service Accounts. |
Exploitability
Factors such as whether details about the vulnerability are publicly known, whether an exploit is readily available, or whether adversaries are actively exploiting the vulnerability are valuable in making risk-based judgements about urgency and priority; customers should use the information below in making those decisions.
| Title | Publicly known? | Exploit available? | Actively exploited? |
|---|---|---|---|
| Sensitive Data Exposure in Netwrix Auditor Active Directory Collector | No | No | No |
Solution
All Netwrix Auditor customers are advised to take the following actions:
-
Update Netwrix Auditor to version 10.6 or later as soon as possible. Instructions for the upgrade process are available in the help center and in our knowledge base. Please contact the Netwrix technical support team should you need assistance.
-
Create a new KDS Root Key with an
EffectiveTimegreater than the maximum time it takes all domain controllers to replicate.For example, if it takes all domain controllers up to 1 hour to complete replication, set the EffectiveTime parameter to a later time:
Add-KdsRootKey -EffectiveTime ((Get-Date).AddHours(2))When a gMSA changes its own password (by default every 30 days) this new key will be used instead. It is not possible to accelerate password changes for existing gMSAs.
-
Run the Netwrix Auditor ADV-2023-003 Tool to scrub Netwrix Auditor’s audit archives of this sensitive data, minimizing risk while gMSA passwords are changed.
Official Fixes
Updated software has been released containing official fixes as indicated in the table below.
| Title | Version |
|---|---|
| Sensitive Data Exposure in Netwrix Auditor Active Directory Collector | Netwrix Auditor 10.6.12275 |
FAQ
-
How do I determine the version of Netwrix Auditor?
To determine the version and build of your Netwrix Auditor instance, please visit this Knowledgebase Article or refer to the following steps:
- In your main Netwrix Auditor menu, click the Settings button.
- In the left pane, select About Netwrix Auditor.
- The current version and build will be available in the right section.
Revisions
Updates to this advisory may be made as necessary. Information about each change will be published in the table below.
| Revision | Date | Description |
|---|---|---|
| 1 | 2023-08-08T17:00:00Z | First published |
Disclaimer
The information and materials included in or linked to this Security Advisory are provided on an “as-is” basis and without warranty of any kind, and we disclaim all representations and warranties of any kind, whether express or implied, including warranties of merchantability and fitness for a particular use. You acknowledge and agree that your use of the information and materials included in or linked to this Security Advisory are at your own risk.