Executive Summary
During a routine third-party security review of Netwrix PolicyPak Cloud two vulnerabilities were identified. These vulnerabilities may allow an attacker to obtain a Netwrix PolicyPak Cloud Client-specific certificate and unregister that client from Netwrix PolicyPak Cloud. This may cause policy sync requests to fail and any relevant policy updates to not be applied to the client.
Netwrix is unaware of any evidence of active exploitation of this vulnerability.
Vulnerability
| Title | Affected Component | Affected Versions | CVSS 4.0 Score | CVSS 3.1 Score (Base / Temporal) | Description |
|---|---|---|---|---|---|
| Weak Cryptography - Use of a Broken or Risky Cryptographic Algorithm | Netwrix PolicyPak Cloud Client | <= 24.11.4080.1016 | 5.9 | 5.7 / 5.0 | Backups of Netwrix PolicyPak Cloud Client-specific certificates, created when PolicyPak Cloud Client is installed on a virtual desktop image, are saved as a PKCS#12/PFX file encrypted using TripleDES-SHA1. This may allow an attacker, who has local access to the client, to obtain the client-specific certificate and unregister that client from Netwrix PolicyPak Cloud. This may cause policy sync requests to fail and any relevant policy updates to not be applied to the client. |
| Weak Cryptography - Hardcoded Encryption Key | Netwrix PolicyPak Cloud Client | <= 24.11.4080.1016 | 4.8 | 5.3 / 4.6 | During registration Netwrix PolicyPak Cloud Client establishes an mTLS encrypted connection with Netwrix PolicyPak Cloud using a customer-specific certificate included in the Netwrix PolicyPak Cloud Client installation package created for that customer. As an additional layer of protection Netwrix PolicyPak Cloud encrypts the client-specific certificate that is created, and returned to the client, during the registration process. This encryption uses a hard-coded key. This may allow an attacker, who was in possession of the customer specific certificate and has access to the network, to obtain the client-specific certificate and unregister that client from Netwrix PolicyPak Cloud. This may cause policy sync requests to fail and any relevant policy updates to not be applied to the client. |
Exploitability
Factors such as whether details about the vulnerability are publicly known, whether an exploit is readily available, or whether adversaries are actively exploiting the vulnerability are valuable in making risk-based judgements about urgency and priority; customers should use the information below in making those decisions.
| Title | Publicly known? | Exploit available? | Actively exploited? |
|---|---|---|---|
| Weak Cryptography - Use of a Broken or Risky Cryptographic Algorithm | No | No | No |
| Weak Cryptography - Hardcoded Encryption Key | No | No | No |
Solution
All Netwrix PolicyPak Cloud customers are advised to update Netwrix PolicyPak Cloud Client to version 25.2 or later as soon as possible.
Instructions for the Netwrix PolicyPak Cloud Client upgrade process can be found in the following help center articles:
- Rings with PolicyPak Cloud
- Using “Rings” to Test and Update the PolicyPak Client-Side Extension (And How to Stay Supported)
- PolicyPak Cloud Groups CSE and Cloud Client Small-Scale Testing and Updates
Please note the helpcenter articles cover the Netwrix PolicyPak Client Side Extensions upgrade process, the same process can be followed to upgrade Netwrix PolicyPak Cloud Client.
Customers who have installed Netwrix PolicyPak Cloud Client and run ppcloud.exe /sysprep for any reason (e.g. when creating a virtual desktop image) should run ppcloud.exe /sysprep again (and update the image if appropriate) in order to create a client specific certificate backup encrypted with a secure cryptographic algorithm. Please note, this fix is not supported on Windows 10 versions prior to 1709.
Instructions for running Netwrix PolicyPak Cloud Client sysprep can be found in the following help center articles:
- PolicyPak Cloud Client Commands
- How to install the PolicyPak Cloud Client for use in an Azure Virtual Desktop image
- How to install and configure the PPC Client for a Non-Persistent VDI Image in VMware Horizon
Please contact the Netwrix technical support team should you need assistance.
Official Fixes
Updated software has been released containing official fixes for all listed vulnerabilities as indicated in the table below.
| Title | Version |
|---|---|
| Weak Cryptography - Use of a Broken or Risky Cryptographic Algorithm | 25.2 |
| Weak Cryptography - Hardcoded Encryption Key | 25.2 |
FAQ
-
How do I determine the current version of Netwrix PolicyPak Cloud Client?
The version is displayed when
ppcloud.exe /statusorppcloud.exe /syncand in Windows “Add/Remove Programs”. -
Is Netwrix PolicyPak (non cloud) or Netwrix PolicyPak CSE (Client Side Extensions) affected?
No, only Netwrix PolicyPak Cloud Client is affected by the vulnerabilities listed above.
Please contact the Netwrix technical support team should you need assistance.
Revisions
Updates to this advisory may be made as necessary. Information about each change will be published in the table below.
| Revision | Date | Description |
|---|---|---|
| 2 | 2025-03-11T14:25:00Z | Added additional FAQ |
| 1 | 2025-03-11T13:00:00Z | First published |
Disclaimer
The information and materials included in or linked to this Security Advisory are provided on an “as-is” basis and without warranty of any kind, and we disclaim all representations and warranties of any kind, whether express or implied, including warranties of merchantability and fitness for a particular use. You acknowledge and agree that your use of the information and materials included in or linked to this Security Advisory are at your own risk.