Skip to content
    July 18, 2022

    Netwrix Auditor Bug Threatens Active Directory Domain

    What Happened

    An Insecure Object Deserialization vulnerability was discovered in Netwrix Auditor, an IT asset tracker and auditing platform. This flaw potentially enables threat actors to compromise Active Directory domains.

    The vulnerability affects all supported versions of Netwrix prior to 10.5.

    Netwrix has over 11,500 customers, according to the company, and has a robust MSP partner program.

    How Bad is This?

    The vulnerability is still pending, but its severity is critical, according to Bishop Fox in its advisory. An attacker can submit arbitrary objects through an unsecured .NET remoting service to achieve remote code execution (RCE) on Netwrix Auditor servers. 

    RCE is one of the most dangerous types of flaws because it allows an adversary to execute malicious code on vulnerable servers. Additionally, compromising an AD domain gives attackers “the keys to the kingdom,” enabling them to perform a variety of malicious activities through the environment. 

    What Should I Do?

    Organizations running Netwrix should immediately upgrade to the latest version of the software, and if possible, inventory all systems to discover any possible out-of-date installs of Netwrix Auditor. Blumira also recommends using a SIEM to discover attacker behavior in your systems.

    How To Detect

    There are still details needed on this vulnerability to determine detection methods. At the present time, general cybersecurity best practices are recommended, including using an endpoint detection and response (EDR) solution on all endpoints, ensuring that WAN firewalls are configured to not allow access on insecure or unneeded ports, and using a SIEM to detect attacker behavior.

    Sign Up For Your Free Account

    Blumira’s cloud SIEM detects and alerts you about suspicious behavior in your environment so that you can stop an incident early enough to prevent damage. Each finding we send is accompanied with a security playbook, giving you clear recommendations on how to remediate an attack. Our support team of security analysts is always available to answer questions on how to interpret a finding, or for other security help. 

    Blumira’s free SIEM is easy to deploy; IT and security teams can start seeing immediate security value for their organizations.

    Free Trial

    Tag(s): MSP , Security Alerts , Blog , CVE

    Chris Furner

    Chris joined Blumira after spending more than 7 years at Worksighted, an 85-employee MSP. As a security engineer and consultant, Chris spent several years building security programs for customers, analyzing threats and performing incident response. In the process, he developed a deep understanding of the unique needs...

    More from the blog

    View All Posts