Strix
26.1K

CVE-2019-14969

UnknownEPSS 0.47%

Last modified

CVE-2019-14969 is a vulnerability of currently unknown severity. Netwrix Auditor before 9.8 has insecure permissions on %PROGRAMDATA%\Netwrix Auditor\Logs\ActiveDirectory\ and sub-folders. In addition, the service Netwrix.ADA.StorageAuditService (which writes to that directory) does not perform proper impersonation, and thus the target file will have the same permissions as the invoking process (in this case, granting Authenticated Users full access over the target file). EPSS estimates a 0.47% chance of exploitation in the next 30 days.

Description

Netwrix Auditor before 9.8 has insecure permissions on %PROGRAMDATA%\Netwrix Auditor\Logs\ActiveDirectory\ and sub-folders. In addition, the service Netwrix.ADA.StorageAuditService (which writes to that directory) does not perform proper impersonation, and thus the target file will have the same permissions as the invoking process (in this case, granting Authenticated Users full access over the target file). This vulnerability can be triggered by a low-privileged user to perform DLL Hijacking/Binary Planting attacks and ultimately execute code as NT AUTHORITY\SYSTEM with the help of Symbolic Links.

Metrics

EPSS Probability
0.47%

36.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
NetwrixAuditor< 9.8

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2019-14969?
Netwrix Auditor before 9.8 has insecure permissions on %PROGRAMDATA%\Netwrix Auditor\Logs\ActiveDirectory\ and sub-folders. In addition, the service Netwrix.ADA.StorageAuditService (which writes to that directory) does not perform proper impersonation, and thus the target file will have the same permissions as the invoking process (in this case, granting Authenticated Users full access over the target file). This vulnerability can be triggered by a low-privileged user to perform DLL Hijacking/Binary Planting attacks and ultimately execute code as NT AUTHORITY\SYSTEM with the help of Symbolic Links.
How severe is CVE-2019-14969?
Severity scoring for CVE-2019-14969 is pending analysis. The EPSS model estimates a 0.47% probability of exploitation in the next 30 days.
How do I fix CVE-2019-14969?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2019-14969?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST