Executive Summary

A vulnerability was discovered during internal security review in Netwrix Threat Prevention (formerly StealthINTERCEPT) which could enable an attacker in control of an agent or in possession of a compromised credential to send a specially crafted network packet to Enterprise Manager which can result in remote code execution with SYSTEM privileges. By compromising the Enterprise Manager service an attacker can pivot to other agents.

Additionally, long-term efforts have continued to complete remediation of the vulnerabilities described in security advisory ADV-2021-001. With the release of Netwrix Threat Manager 7.4.0, final remediation of the four vulnerabilities which remained open is complete and capabilities such as remote installation of the Windows Console restored.

Vulnerability

Exploitability

Factors such as whether details about the vulnerability are publicly known, whether an exploit is readily available, or whether adversaries are actively exploiting the vulnerability are valuable in making risk-based judgments about urgency and priority; customers should use the information below in making those decisions.

Solution

Customers utilizing Netwrix Threat Prevention are advised to update Netwrix Threat Prevention to version 7.4.0.

Important: Upgrading to version 7.4.0 from versions prior to 7.3.9 requires a multi-step upgrade process. Please review the upgrade documentation for specific instructions.

Official Fixes

Updated software has been released containing official fixes as indicated in the
table below.

FAQ

1. Why is a multi-stage upgrade required for versions prior to 7.3.9?

   In version 7.3.9, Netwrix Threat Prevention introduced a substantial change in the communications protocol between the agents and Enterprise Manager. To enable seamless migration, version 7.3.9 agents are able to communicate to Enterprise Manager with either protocol version. In Netwrix Threat Prevention 7.4.0 the old protocol version is entirely removed.

   Thus, attempting to upgrade directly from a version prior to 7.3.9 to 7.4 will result in the agents failing to communicate with Enterprise Manager, which requires customers to manually update agents on each domain controller.

2. How do I determine the currently installed versions of Netwrix Threat Prevention agents?

   The agent software version can be seen in the Windows Console on the Agents interface.

Revisions

Updates to this advisory may be made as necessary. Information about each change will be published in the table below.

Disclaimer

The information and materials included in or linked to this Security Advisory are provided on an “as-is” basis and without warranty of any kind, and we disclaim all representations and warranties of any kind, whether express or implied, including warranties of merchantability and fitness for a particular use. You acknowledge and agree that your use of the information and materials included in or linked to this Security Advisory are at your own risk.