External risk intelligence

Netwrix Auditor Remote Code Execution Vulnerability

CVE advisoryKnown Exploit

CVE-2022-31199

A vulnerability in Netwrix Auditor's User Activity Video Recording component allows unauthenticated attackers to execute arbitrary code with system privileges on affected servers. This could lead to unauthorized data access and operational disruption. Organizations should identify affected systems, restrict network acc

2Halo Surface Signal

Deserialization

Netwrix Auditor

before 10.5

External exposure likelihood

Halo Surface Signal score for CVE-2022-31199

The vulnerability affects the Netwrix Auditor User Activity Video Recording component on port 9004/TCP. While network-reachable, this service is intended for internal monitoring and management rather than public-facing use. It is typically blocked by enterprise firewalls, making direct exposure to the public internet uncommon.

Horizon Alert

Summary of the vulnerability and why it matters

The Netwrix Auditor User Activity Video Recording component is affected by vulnerabilities within its underlying protocol. These flaws allow an unauthenticated remote attacker to execute arbitrary code on affected systems, including those managed by Netwrix Auditor. The potential impact includes unauthorized code execution with high privileges.

Vulnerable Netwrix Auditor component
Allows unauthenticated remote code execution
High-privilege code execution impact

Attack Path

How an attacker could exploit the issue

The Netwrix Auditor User Activity Video Recording component has a vulnerability that can allow for remote code execution. This occurs when an attacker can interact with the component's underlying protocol. Successful exploitation enables an unauthenticated remote attacker to execute arbitrary code with high privileges on affected servers, including those being monitored by Netwrix Auditor.

Network exposure to the component.
Unauthenticated attacker triggers vulnerable protocol.
Arbitrary code execution as SYSTEM.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows an unauthenticated attacker to remotely execute arbitrary code on affected Netwrix Auditor systems. The attack could result in the compromise of sensitive data and the disruption of business operations. The affected component, User Activity Video Recording, is typically used for internal monitoring.

Attacker skill level: Low
Required access or conditions: Network access to a specific port
Business risk or urgency: High

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in the Netwrix Auditor User Activity Video Recording component allows for remote code execution. An unauthenticated attacker could potentially execute arbitrary code with system-level privileges on affected Netwrix Auditor servers and monitored systems. This poses a significant risk to the confidentiality, integrity, and availability of business data and systems.

Identify all Netwrix Auditor servers and agents.
Restrict network access to the affected component.
Apply vendor patches and confirm remediation.

Frequently asked questions

What is Netwrix Auditor and its User Activity Video Recording component?

Netwrix Auditor is a software solution for monitoring IT environments. Its User Activity Video Recording component is susceptible to remote code execution vulnerabilities within its underlying protocol, enabling attackers to run arbitrary code with high privileges on monitored systems.

What is the weakness in CVE-2022-31199?

CVE-2022-31199 is an insecure deserialization vulnerability (CWE-502). This weakness allows an unauthenticated remote attacker to execute arbitrary code as the NT AUTHORITY\SYSTEM user on affected Netwrix Auditor servers and agents.

How can an unauthenticated attacker exploit CVE-2022-31199?

An unauthenticated attacker with network access to the specific port of the User Activity Video Recording component can exploit this vulnerability by interacting with its underlying protocol, leading to arbitrary code execution with system-level privileges.

What is the relevance of CVE-2022-31199 concerning potential exploitation?

While the vulnerability allows for remote code execution, the affected component's service is typically intended for internal monitoring and often blocked by firewalls, making direct exposure to the public internet uncommon, thus reducing the likelihood of exploitation.

What steps should be taken to address the Netwrix Auditor vulnerability?

Organizations should identify all affected Netwrix Auditor servers and agents, restrict network access to the vulnerable component, and apply vendor-provided patches promptly. Confirming remediation after patching is crucial to mitigate the risk.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.