Executive Summary
Several vulnerabilities were identified and remediated during a routine security review of Netwrix Change Tracker. The vulnerabilities include weak brute-force protection during authentication, the use of default credentials, and arbitrary code injection into authenticated users web browsers.
Netwrix is unaware of any evidence of active exploitation of any of these vulnerabilities.
Vulnerability
| Title | Affected Component | Affected Versions | CVSS 4.0 Score (On-prem) | CVSS 3.1 Score (Base / Temporal) (On-prem) | CVSS 4.0 Score (Hosted) | CVSS 3.1 Score (Base / Temporal) (Hosted) | Description |
|---|---|---|---|---|---|---|---|
| Account Policy - Weak Lockout Policy | Netwrix Change Tracker | <= 7.7.3 | N/A | N/A | 10 | 9.1 / 8.2 | In a hosted environment only, Netwrix Change Trackers account lockout policy is not enforced which increases the chance that a malicious actor could gain unauthorized access to the application by conducting dictionary attacks against known user accounts. |
| Cross-Site Scripting - Persistent | Netwrix Change Tracker | <= 7.7.3 | 6.8 | 5.9 / 5.3 | 8.4 | 6.1 / 5.5 | A persistent cross-site scripting vulnerability was discovered in Netwrix Change Tracker which may permit an attacker, using an authorized administrative account, to execute arbitrary code within the context of another user’s web browser. |
| Weak Session Cookie - Persistent Cookie | Netwrix Change Tracker | <= 7.7.3 | 7.2 | 6.3 / 5.7 | 7.2 | 6.3 / 5.7 | Netwrix Change Tracker persists a user’s authentication cookie to disk. An attacker with local access to that disk, while the authentication cookie is valid, could access Netwrix Change Tracker as the authenticated user. |
| Default credentials - Agent account | Netwrix Change Tracker | <= 7.7.3 | 5.8 | 9.6 / 8.3 | 7.1 | 10.0 / 8.7 | A default agent account with a well-known, documented, username and password, is created during initial installation of Netwrix Change Tracker. This account can be used to perform all actions an agent is authorized to perform including but not limited to the retrieval of credentials used to access devices that are monitored using an Agentless approach. |
| Sensitive Data Exposure - Monitored cloud credentials | Netwrix Change Tracker | <= 7.7.3 | 5.2 | 5.9 / 5.2 | 5.5 | 6.6 / 5.8 | Cloud authentication secrets are displayed to authorized administrator users in plain text in the Netwrix Change Tracker Hub. These secrets can be used to access cloud resources that are monitored using an Agentless approach. |
Exploitability
Factors such as whether details about the vulnerability are publicly known, whether an exploit is readily available, or whether adversaries are actively exploiting the vulnerability are valuable in making risk-based judgements about urgency and priority; customers should use the information below in making those decisions.
| Title | Publicly known? | Exploit available? | Actively exploited? |
|---|---|---|---|
| Account Policy - Weak Lockout Policy | No | No | No |
| Cross-Site Scripting - Persistent | No | No | No |
| Weak Session Cookie - Persistent Cookie | No | No | No |
| Default credentials - Agent account | Yes | No | No |
| Sensitive Data Exposure - Monitored cloud credentials | No | No | No |
Solution
All Netwrix Change Tracker customers are advised to update Change Tracker to version 7.7.4 or later as soon as possible. Instructions for the Netwrix Change Tracker Hub upgrade process can be found in this help center article. Instructions for the Netwrix Change Tracker Agent upgrade process can be found in this help center article.
All Netwrix Change Tracker customers are advised to determine if the default agent account credentials (username: agent, password: passWord121) are in use and, if so, replace the agent account out of band of Netwrix Change Tracker as soon as possible. Instructions for determining if the default agent account credentials are in use can be found in this help center article. Instructions for replacing the agent account out of band of Netwrix Change Tracker can be found in this help center article.
Please contact the Netwrix technical support team should you need assistance.
Official Fixes
Updated software has been released containing official fixes for all listed vulnerabilities as indicated in the table below. Please ensure you apply the correct hotfix to the version of Netwrix Change Tracker you are using.
| Title | Version |
|---|---|
| Account Policy - Weak Lockout Policy | 7.7.4 |
| Cross-Site Scripting - Persistent | 7.7.4 |
| Weak Session Cookie - Persistent Cookie | 7.7.4 |
| Default credentials - Agent account | 7.7.4* |
| Sensitive Data Exposure - Monitored cloud credentials | 7.7.4 |
* If vulnerable, additional steps are required to fully remediate this issue by replacing the agent account out of band of Netwrix Change Tracker. Please refer to the Solution section above.
FAQ
-
How do I determine the current version of Netwrix Change Tracker?
Please refer to the
Settings -> Aboutpage on in the Netwrix Change Tracker Hub to determine the version of the Hub and toSettings -> Agent Updatespage in the Netwrix Change Tracker Hub to determine the version of any Netwrix Change Tracker Agent. -
It will take my company some time to replace the agent account. How urgent is this part of the update?
While the hotfix is most critical to apply immediately, we advise customers to act with urgency in determining whether the default agent account credentials are in use and, if so, replacing the agent account out of band of Netwrix Change Tracker, while following an expedited testing and emergency change control process. The default agent account credentials can be used to perform all actions an agent is authorized to perform including but not limited to the retrieval of credentials used to access devices that are monitored using an Agentless approach. An attacker may be able to utilize that access as part of an attack chain to cause greater damage and/or perform lateral movement across the network.
-
Can I rotate the agent account password from within Netwrix Change Tracker to address the default agent account credentials vulnerability?
If replacement of the agent account out of band of Netwrix Change Tracker, see the Solution section above, is not possible, the agent account username and/or password can be rotated from the Netwrix Change Tracker Hub, please refer to this help center article for instructions. However, this process is not recommended to address this vulnerability (or to change any known or breached password in the future). Any attacker can use the default agent account credentials to obtain their replacement, thus compromising the replacement. Any customers undertaking this procedure as a remediation for the default agent account credentials in Netwrix Change Tracker 7.7.3 or below does so at their own risk. Netwrix accepts no liability for any incidents or compromise of data which arise now or in the future as a result.
Revisions
Updates to this advisory may be made as necessary. Information about each change will be published in the table below.
| Revision | Date | Description |
|---|---|---|
| 1 | 2024-10-17T14:00:00Z | First published |
Disclaimer
The information and materials included in or linked to this Security Advisory are provided on an “as-is” basis and without warranty of any kind, and we disclaim all representations and warranties of any kind, whether express or implied, including warranties of merchantability and fitness for a particular use. You acknowledge and agree that your use of the information and materials included in or linked to this Security Advisory are at your own risk.