netwrix auditor CVE-2022-31199 is a vulnerability in Netwrix Auditor
Published on November 8, 2022

Remote code execution vulnerabilities exist in the Netwrix Auditor User Activity Video Recording component affecting both the Netwrix Auditor server and agents installed on monitored systems. The remote code execution vulnerabilities exist within the underlying protocol used by the component, and potentially allow an unauthenticated remote attacker to execute arbitrary code as the NT AUTHORITY\SYSTEM user on affected systems, including on systems Netwrix Auditor monitors.

NVD

Known Exploited Vulnerability

This Netwrix Auditor Insecure Object Deserialization Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Netwrix Auditor User Activity Video Recording component contains an insecure objection deserialization vulnerability that allows an unauthenticated, remote attacker to execute code as the NT AUTHORITY\SYSTEM user. Successful exploitation requires that the attacker to be able to reach port 9004/TCP, which is commonly blocked by standard enterprise firewalling.

The following remediation steps are recommended / required by August 1, 2023: Apply updates per vendor instructions or discontinue use of the product if updates are unavailable.

Vulnerability Analysis

CVE-2022-31199 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.

What is a Marshaling, Unmarshaling Vulnerability?

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

CVE-2022-31199 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.


Products Associated with CVE-2022-31199

You can be notified by stack.watch whenever vulnerabilities like CVE-2022-31199 are published in these products:

Netwrix Auditor
 

What versions of Auditor are vulnerable to CVE-2022-31199?