An Insecure Object Deserialization vulnerability was discovered in Netwrix Auditor, an IT asset tracker and auditing platform. This flaw potentially enables threat actors to compromise Active Directory domains.
The vulnerability affects all supported versions of Netwrix prior to 10.5.
Netwrix has over 11,500 customers, according to the company, and has a robust MSP partner program.
The vulnerability is still pending, but its severity is critical, according to Bishop Fox in its advisory. An attacker can submit arbitrary objects through an unsecured .NET remoting service to achieve remote code execution (RCE) on Netwrix Auditor servers.
RCE is one of the most dangerous types of flaws because it allows an adversary to execute malicious code on vulnerable servers. Additionally, compromising an AD domain gives attackers “the keys to the kingdom,” enabling them to perform a variety of malicious activities through the environment.
Organizations running Netwrix should immediately upgrade to the latest version of the software, and if possible, inventory all systems to discover any possible out-of-date installs of Netwrix Auditor. Blumira also recommends using a SIEM to discover attacker behavior in your systems.
There are still details needed on this vulnerability to determine detection methods. At the present time, general cybersecurity best practices are recommended, including using an endpoint detection and response (EDR) solution on all endpoints, ensuring that WAN firewalls are configured to not allow access on insecure or unneeded ports, and using a SIEM to detect attacker behavior.
Blumira’s cloud SIEM detects and alerts you about suspicious behavior in your environment so that you can stop an incident early enough to prevent damage. Each finding we send is accompanied with a security playbook, giving you clear recommendations on how to remediate an attack. Our support team of security analysts is always available to answer questions on how to interpret a finding, or for other security help.
Blumira’s free SIEM is easy to deploy; IT and security teams can start seeing immediate security value for their organizations.