Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

ACTIVE-2019-010: Netwrix Auditor - Symbolic Link Privilege Escalation

Vulnerability Type:

Privilege Escalation

Vendors:

Netwrix Corporation

CVE ID:

CVE-2019-14969

Affected Products:

  • Netwrix Auditor version 9.7 and earlier

Summary:

Netwrix Auditor version 9.7 and earlier suffer from insecure file permissions on C:\ProgramData\Netwrix Auditor\Logs\ActiveDirectory\ directory and it's sub-folders. In addition, the service Netwrix.ADA.StorageAuditService which writes to said directory does not preform proper impersonation, meaning the target file will have the same permissions as the invoking process, that is the log file (in this case, granting Authenticated Users full access over the target file). This vulnerability can be triggered by low privileged user to perform DLL Hijacking/Binary Planting attacks and ultimately execute code as NT AUTHORITY\SYSTEM with the help of Symbolic Links.

Mitigation:

The vendor has released a patch in version 9.8 addressing this vulnerability.

Credit:

This vulnerability was found by Hashim Jawad of ACTIVELabs.

References:

Disclosure Timeline:

  • 02-19-19: ACTIVELabs sent vulnerability details to CERT/CC
  • 02-20-19: CERT/CC acknowledge report and requested to contact the effected vendor
  • 02-22-19: ACTIVELabs contacted vendor via contact us form
  • 02-28-19: Vendor responded requesting details
  • 03-01-19: ACTIVELabs report sent
  • 03-04-19: Vendor acknowledge report
  • 03-15-19: ACTIVELabs requested an update
  • 03-25-19: Vendor responded that they will come up with an action plan and get back with us
  • 03-29-19: ACTIVELabs requested an update
  • 04-01-19: Vendor responded with purposed fix plan
  • 04-02-19: ACTIVELabs suggested disclosure timeline to vendor
  • 04-23-19: CERT/CC requested an update
  • 04-26-19: Vendor provided patch release date
  • 05-14-19: Netwrix Auditor version 9.8 with a patch released
  • 05-31-19: ACTIVELabs requested an update
  • 06-04-19: Vendor requested more time to implement a guided upgrade program for effected customers
  • 06-05-19: ACTIVELabs informed vendor to hold off on public disclosure until further notice
  • 07-05-19: ACTIVELabs confirmed the patch has nullified the vulnerability
  • 07-19-19: ACTIVELabs requested an update regarding releasing vulnerability information
  • 07-23-19: Vendor requested to hold off until the week of August 12 to make sure most of the customers are up-to-date
  • 08-12-19: ACTIVELabs publishes this advisory
  • 08-12-19: ACTIVELabs request CVE entry from MITRE