CVE-2019-14969

Name of the Vulnerable Software and Affected Versions Netwrix Auditor versions prior to 9.8

Description The issue is related to insecure permissions on certain directories and sub-folders, specifically %PROGRAMDATA%Netwrix AuditorLogsActiveDirectory. The Netwrix.ADA.StorageAuditService service, which writes to this directory, does not properly impersonate, resulting in the target file having the same permissions as the invoking process. This allows low-privileged users to perform DLL Hijacking/Binary Planting attacks, potentially executing code as NT AUTHORITYSYSTEM with the help of Symbolic Links.

Recommendations For versions prior to 9.8, update to version 9.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the %PROGRAMDATA%Netwrix AuditorLogsActiveDirectory directory and its sub-folders to prevent low-privileged users from exploiting the vulnerability. Additionally, restrict the use of the Netwrix.ADA.StorageAuditService service until the update is applied.