ACTIVE-2019-010: Netwrix Auditor - Symbolic Link Privilege Escalation
Vulnerability Type:
Privilege Escalation
Vendors:
Netwrix Corporation
CVE ID:
CVE-2019-14969
Affected Products:
- Netwrix Auditor version 9.7 and earlier
Summary:
Netwrix Auditor version 9.7 and earlier suffer from insecure file permissions on C:\ProgramData\Netwrix Auditor\Logs\ActiveDirectory\ directory and it's sub-folders. In addition, the service Netwrix.ADA.StorageAuditService which writes to said directory does not preform proper impersonation, meaning the target file will have the same permissions as the invoking process, that is the log file (in this case, granting Authenticated Users full access over the target file). This vulnerability can be triggered by low privileged user to perform DLL Hijacking/Binary Planting attacks and ultimately execute code as NT AUTHORITY\SYSTEM with the help of Symbolic Links.
Mitigation:
The vendor has released a patch in version 9.8 addressing this vulnerability.
Credit:
This vulnerability was found by Hashim Jawad of ACTIVELabs.
References:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14969
- https://nvd.nist.gov/vuln/detail/CVE-2019-14969
Disclosure Timeline:
- 02-19-19: ACTIVELabs sent vulnerability details to CERT/CC
- 02-20-19: CERT/CC acknowledge report and requested to contact the effected vendor
- 02-22-19: ACTIVELabs contacted vendor via contact us form
- 02-28-19: Vendor responded requesting details
- 03-01-19: ACTIVELabs report sent
- 03-04-19: Vendor acknowledge report
- 03-15-19: ACTIVELabs requested an update
- 03-25-19: Vendor responded that they will come up with an action plan and get back with us
- 03-29-19: ACTIVELabs requested an update
- 04-01-19: Vendor responded with purposed fix plan
- 04-02-19: ACTIVELabs suggested disclosure timeline to vendor
- 04-23-19: CERT/CC requested an update
- 04-26-19: Vendor provided patch release date
- 05-14-19: Netwrix Auditor version 9.8 with a patch released
- 05-31-19: ACTIVELabs requested an update
- 06-04-19: Vendor requested more time to implement a guided upgrade program for effected customers
- 06-05-19: ACTIVELabs informed vendor to hold off on public disclosure until further notice
- 07-05-19: ACTIVELabs confirmed the patch has nullified the vulnerability
- 07-19-19: ACTIVELabs requested an update regarding releasing vulnerability information
- 07-23-19: Vendor requested to hold off until the week of August 12 to make sure most of the customers are up-to-date
- 08-12-19: ACTIVELabs publishes this advisory
- 08-12-19: ACTIVELabs request CVE entry from MITRE