Executive Summary
Several vulnerabilities were identified and remediated during a routine security review of Netwrix Threat Manager. The vulnerabilities may permit an attacker to brute force credentials for built-in accounts, or for an authenticated user to access functionality intended for high privileged users.
Netwrix is unaware of any evidence of active exploitation of any of these vulnerabilities.
Vulnerability
| Title | Affected Component | Affected Versions | CVSS 4.0 Score | CVSS 3.1 Score (Base / Temporal) | Description |
|---|---|---|---|---|---|
| Account Policy - Weak Lockout Policy | Netwrix Threat Manager | < 3.0.339 | 5.1 | 4.6 / 4.2 | Netwrix Threat Manager does not enforce an account lockout policy for built-in accounts which increases the chance that a malicious actor could gain unauthorized access to the application by conducting dictionary attacks against known user accounts. |
| Authorization Bypass - Missing Function Level Access Controls | Netwrix Threat Manager | < 3.0.339 | 8.5 | 7.6 / 6.8 | Netwrix Threat Manager does not enforce authorization controls on a small subset of operations which could allow authenticated users unauthorized access to pages or functionality. |
Exploitability
Factors such as whether details about the vulnerability are publicly known, whether an exploit is readily available, or whether adversaries are actively exploiting the vulnerability are valuable in making risk-based judgements about urgency and priority; customers should use the information below in making those decisions.
| Title | Publicly known? | Exploit available? | Actively exploited? |
|---|---|---|---|
| Authorization Bypass - Missing Function Level Access Controls | No | No | No |
| Account Policy - Weak Lockout Policy | No | No | No |
Solution
All Netwrix Threat Manager customers are advised to update Netwrix Threat Manager to version 3.0 or later as soon as possible. Instructions for the Netwrix Threat Manager upgrade process can be found in this help center article.
Please contact the Netwrix technical support team should you need assistance.
Official Fixes
Updated software has been released containing official fixes for all listed vulnerabilities as indicated in the table below. Please ensure you apply the correct hotfix to the version of Netwrix Threat Manager you are using.
| Title | Version |
|---|---|
| Authorization Bypass - Missing Function Level Access Controls | 3.0.339 |
| Account Policy - Weak Lockout Policy | 3.0.339 |
FAQ
-
How do I determine the current version of Netwrix Threat Manager?
The current Netwrix Threat Manager version is displayed at the bottom left corner of all pages within Netwrix Threat Manager.
Revisions
Updates to this advisory may be made as necessary. Information about each change will be published in the table below.
| Revision | Date | Description |
|---|---|---|
| 2 | 2024-10-18T17:20:00Z | Correct affected versions |
| 1 | 2024-10-17T14:00:00Z | First published |
Disclaimer
The information and materials included in or linked to this Security Advisory are provided on an “as-is” basis and without warranty of any kind, and we disclaim all representations and warranties of any kind, whether express or implied, including warranties of merchantability and fitness for a particular use. You acknowledge and agree that your use of the information and materials included in or linked to this Security Advisory are at your own risk.