FAQ: Domain Admin Credential Disclosure Vulnerability in Netwrix Account Lockout Examiner 4.1
All users of Netwrix Account Lockout Examiner 4.1 or earlier should consider immediately upgrading to version 5.1 or higher in order to avoid falling victim to this vulnerability.
-
What is this vulnerability?
An attacker can force an account used to run Account Lockout Examiner to authenticate to a system that the attacker controls, enabling them to capture the associated NTLMv1/v2 challenge-response and gain the Domain Admin credentials used to run Account Lockout Examiner.
For more details about a possible attack scenario, read the full Optiv article. -
Which Netwrix products are affected by this vulnerability?
Netwrix Account Lockout Examiner 4.1 and earlier. -
Who is at risk?
Your organization is vulnerable if you have Netwrix Account Lockout Examiner 4.1 or earlier running and configured according to the Quick-Start Guide with NTLM authentication enabled.
Specific prerequisites:- Netwrix Account Lockout Examiner 4.1 or earlier running under a Domain Admin account
- Audit failure enabled in the Account Logon Events policy on your domain controllers
- A failed Kerberos pre-authentication attempt
- A way for the attacker to capture or relay the incoming account hash
-
What could be affected by this attack?
If the attack succeeds and the attacker gets Domain Admin credentials, the entire domain is at risk. -
How can organizations mitigate the vulnerability?
Step 1: Replace the vulnerable version of Netwrix Account Lockout Examiner with version 5.1 or higher.
In versions 5.1 and higher, a failed Kerberos pre-authentication attempt (event 4771) doesn’t trigger automatic examination, which avoids automatic NTLM authentication to the attacker’s machine.
Starting with version 5.2, the solution will warn you if the examination process will include attempting to authenticate to a non-domain server.
Download the latest version of Netwrix Account Lockout Examiner.
Step 2: Disable outgoing NTLM authentication traffic on the workstation that is used to run Netwrix Account Lockout Examiner.
Follow the detailed instructions to disable outgoing NTLM authentication traffic from the machine that is used to run Netwrix Account Lockout Examiner. -
Credits
This vulnerability was discovered by Optiv security consultants Robert Surace and Daniel Min while performing a security assessment. Optiv immediately contacted Netwrix to disclose the flaw responsibly. -
Feedback, suggestions and questions
We welcome any feedback, ideas or questions you might have. Reach out to us by email at product.management@netwrix.com.