Executive Summary
Several vulnerabilities were identified and remediated during a routine security review of Netwrix PingCastle Enterprise and Pro. The vulnerabilities may allow an attacker to render PingCastle Enterprise and Pro unavailable or to gain unauthorized access to the application.
Netwrix is unaware of any evidence of active exploitation of any of these vulnerabilities.
Vulnerability
| Title | Affected Component | Affected Versions | CVSS 4.0 Score | CVSS 3.1 Score (Base / Temporal) | Description |
|---|---|---|---|---|---|
| Broken Authentication - API Key State Ignored | Netwrix PingCastle Enterprise and Pro | < 3.3.0.1 | 7.7 | 7.5 / 6.5 | Netwrix PingCastle Enterprise and Pro allow access using API keys that have been disabled which may allow an attacker in possession of the disabled API key, to gain unauthorized access to the application. |
| Account Policy - Weak Lockout Policy | Netwrix PingCastle Enterprise and Pro | < 3.3.0.1 | 7.6 | 8.1 / 7.1 | Netwrix PingCastle Enterprise and Pro do not enforce an account lockout policy which increases the chance that a malicious actor could gain unauthorized access to the application by conducting dictionary attacks against known user accounts which do not have MFA enabled. |
| Denial of Service - Shared Resource Lock | Netwrix PingCastle Enterprise and Pro | < 3.3.0.1 | 4.9 | 5.3 / 4.6 | Netwrix PingCastle Enterprise and Pro use a shared resource to prevent brute force attacks against account recovery codes which may allow an attacker to execute a denial of service (DOS) attack rendering the application unavailable for the duration of the attack. |
Exploitability
Factors such as whether details about the vulnerability are publicly known, whether an exploit is readily available, or whether adversaries are actively exploiting the vulnerability are valuable in making risk-based judgements about urgency and priority; customers should use the information below in making those decisions.
| Title | Publicly known? | Exploit available? | Actively exploited? |
|---|---|---|---|
| Broken Authentication - API Key State Ignored | No | No | No |
| Account Policy - Weak Lockout Policy | No | No | No |
| Denial of Service - Shared Resource Lock | No | No | No |
Solution
All Netwrix PingCastle Enterprise and Pro customers are advised to update PingCastle Enterprise and Pro to version 3.3.0.1 or later as soon as possible.
Instructions for the Netwrix PingCastle Enterprise upgrade process can be found in this help center article.
Instructions for the Netwrix PingCastle Pro upgrade process can be found in this help center article.
Please contact the Netwrix technical support team should you need assistance.
Official Fixes
Updated software has been released containing official fixes for all listed vulnerabilities as indicated in the table below. Please ensure you apply the correct hotfix to the version of Netwrix PingCastle you are using.
| Title | Version |
|---|---|
| Broken Authentication - API Key State Ignored | 3.3.0.1 |
| Account Policy - Weak Lockout Policy | 3.3.0.1 |
| Denial of Service - Shared Resource Lock | 3.3.0.1 |
FAQ
-
How do I determine the current version of Netwrix PingCastle?
The current Netwrix PingCastle Enterprise and Pro version can be found by clicking the About link at the bottom each page in Netwrix PingCastle Enterprise and Pro.
-
Are Netwrix PingCastle Basic or Standard versions affected?
No, only Netwrix PingCastle Enterprise and Pro is affected by the vulnerabilities listed above.
Revisions
Updates to this advisory may be made as necessary. Information about each change will be published in the table below.
| Revision | Date | Description |
|---|---|---|
| 1 | 2024-11-14T18:30:00Z | First published |
Disclaimer
The information and materials included in or linked to this Security Advisory are provided on an “as-is” basis and without warranty of any kind, and we disclaim all representations and warranties of any kind, whether express or implied, including warranties of merchantability and fitness for a particular use. You acknowledge and agree that your use of the information and materials included in or linked to this Security Advisory are at your own risk.