CVE-2019-14969 Information

Description

Netwrix Auditor before 9.8 has insecure permissions on PROGRAMDATA\Netwrix Auditor\Logs\ActiveDirectory\ and sub-folders. In addition the service Netwrix.ADA.StorageAuditService (which writes to that directory) does not perform proper impersonation and thus the target file will have the same permissions as the invoking process (in this case granting Authenticated Users full access over the target file). This vulnerability can be triggered by a low-privileged user to perform DLL Hijacking/Binary Planting attacks and ultimately execute code as NT AUTHORITY\SYSTEM with the help of Symbolic Links.

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Reference

https://github.com/active-labs/Advisories/blob/master/2019/ACTIVE-2019-010.md

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

7.8