Executive Summary
Several vulnerabilities were identified and remediated during a security review of Netwrix Endpoint Protector (formerly CoSoSys Endpoint Protector). The vulnerabilities may allow an attacker to gain unauthorized access to the application, modify policies, affect client behavior, view sensitive data, or render Endpoint Protector unavailable.
Users of Netwrix Endpoint Protector are advised to update to Endpoint Protector version 5.9.4.1. Netwrix is unaware of any evidence of active exploitation of any of these vulnerabilities.
Vulnerability
| Title | Affected Component | Affected Versions | CVSS 4.0 Score | CVSS 3.1 Score (Base / Temporal) | Description |
|---|---|---|---|---|---|
| Improper neutralization of special elements used in an SQL command | Endpoint Protector Server | <= 5.9.4.0 | 9.3 | 9.8 / 8.5 | Instances of insufficient SQL query sanitization could allow an unauthenticated attacker to create an administrative account or allow an authenticated administrator to escalate privileges, leading to disclosure of sensitive information or modification of policies. |
| Improper neutralization of input during web page generation | Endpoint Protector Server | <= 5.9.4.0 | 9.3 | 9.6 / 8.3 | Cross-site scripting issues in administrative web pages could result in a successful phishing attack carried out by an unauthenticated attacker, resulting in unauthorized administrative actions being taken. |
| Insufficiently protected credentials in file shadowing | Endpoint Protector Server | <= 5.9.4.0 | 9.2 | 8.2 / 7.1 | An unauthenticated attacker could acquire the AWS S3 bucket secret key and the FTP and SMB credentials used for the file shadowing functionality. |
| Denial-of-service due to insufficient administrative action authorization | Endpoint Protector Appliance | <= 5.9.4.0 | 6.9 | 4.9 / 4.3 | An administrator with read-only permissions could carry out a denial-of-service attack resulting in an unresponsive Endpoint Protector Appliance state. |
| Insufficient validation of cross-site requests in administrative actions | Endpoint Protector Server | <= 5.9.4.0 | 6.2 | 8.1 / 7.1 | An unauthorized attacker could utilize a lack of request validation combined with a succesful phishing attack against an administrator to remove client PC software, remove clients and restart services. |
| Insufficiently protected Azure Active Directory credentials | Endpoint Protector Server | <= 5.9.4.0 | 5.1 | 4.1 / 3.6 | An administrator with privileges to set the Azure Active Directory client secret and authentication credentials could retrieve authentication secrets in plaintext including the current access token. |
| Generation of error message containing sensitive information | Endpoint Protector Server | <= 5.9.4.0 | 5.1 | 2.7 / 2.4 | An authorized attacker could cause the Endpoint Protector server to generate and display error messages containing SQL query fragments. |
Exploitability
Factors such as whether details about the vulnerability are publicly known, whether an exploit is readily available, or whether adversaries are actively exploiting the vulnerability are valuable in making risk-based judgments about urgency and priority; customers should use the information below in making those decisions.
| Title | Publicly known? | Exploit available? | Actively exploited? |
|---|---|---|---|
| Improper neutralization of special elements used in an SQL command | No | No | No |
| Improper neutralization of input during web page generation | No | No | No |
| Insufficiently protected credentials in file shadowing | No | No | No |
| Denial-of-service due to insufficient administrative action authorization | No | No | No |
| Insufficient validation of cross-site requests in administrative actions | No | No | No |
| Insufficiently protected Azure AD credentials | No | No | No |
| Generation of error message containing sensitive information | No | No | No |
Solution
All Netwrix Endpoint Protector customers are advised to update Endpoint Protector to version 5.9.4.1 or later as soon as possible.
Although the vulnerabilities listed in this advisory are not known to Netwrix to be publicly disclosed or actively exploited, we recommend adhering to best practices by updating the following credentials:
- AWS S3 Bucket Secret Key
- FTP Credentials
- SMB Credentials
- Azure Active Directory Authentication Credential
- Azure Active Directory Access Token
- Azure Active Directory Client Secret
Please contact the Netwrix technical support team should you need assistance.
Official Fixes
Updated software has been released containing official fixes for all listed vulnerabilities as indicated in the table below.
| Product | Release Version |
|---|---|
| Netwrix Endpoint Protector | 5.9.4.1 |
FAQ
-
How do I determine the version of Netwrix Endpoint Protector is in use?
Please refer to this knowledge base article.
Revisions
Updates to this advisory may be made as necessary. Information about each change will be published in the table below.
| Revision | Date | Description |
|---|---|---|
| 1 | 2024-01-21T14:00:00Z | First published |
Disclaimer
The information and materials included in or linked to this Security Advisory are provided on an “as-is” basis and without warranty of any kind, and we disclaim all representations and warranties of any kind, whether express or implied, including warranties of merchantability and fitness for a particular use. You acknowledge and agree that your use of the information and materials included in or linked to this Security Advisory are at your own risk.