New Netwrix Auditor bug could allow attackers to compromise Active Directory domain

Researchers have revealed details of a security vulnerability in the Netwrix Auditor application which, if successfully exploited, could lead to the execution of arbitrary code on affected devices.

“Since this service is typically run with extended privileges in an Active Directory environment, the attacker would likely be able to compromise the Active Directory domain,” Bishop Fox said. said in a notice published this week.

Listener is an auditing and visibility platform that allows organizations to have a consolidated view of their IT environments, including Active Directory, Exchange, file servers, SharePoint, VMware and other systems, all at from a single console.

Netwrix, the company behind the software, claims more than 11,500 customers in over 100 countries, such as Airbus, Virgin, King’s College Hospital, and Credissimo, among others.

Netwrix Auditor bug

The flaw, which affects all supported versions before 10.5, has been described as a insecure object deserializationwhich occurs when untrusted user-controllable data is analyzed to inflict remote code execution attacks.

cyber security

The root cause of the bug is an insecure .NET remoting service accessible on TCP port 9004 on the Netwrix server, allowing an actor to execute arbitrary commands on the server.

“Since the command was run with NT AUTHORITYSYSTEM privileges, exploiting this issue would allow an attacker to completely compromise the Netwrix server,” said Jordan Parkin of Bishop Fox.

Organizations that rely on Auditor are recommended to update the software to the latest version, 10.5, released June 6, to address any potential risk.