In November 2024, several security vulnerabilities were identified in Netwrix PingCastle Pro and Enterprise editions. These vulnerabilities could potentially allow unauthorized access or disrupt the application's availability. Netwrix has addressed these issues in version 3.3.0.1, released on September 25, 2024.
Identified Vulnerabilities
- Broken Authentication – API Key State Ignored: Disabled API keys were still permitting access, potentially allowing unauthorized entry. This vulnerability received a CVSS 3.1 score of 6.5.
- Account Policy – Weak Lockout Policy: The absence of an account lockout policy increased the risk of dictionary attacks on user accounts without Multi-Factor Authentication (MFA). This issue was assigned a CVSS 3.1 score of 7.1.
- Denial of Service – Shared Resource Lock: A shared resource intended to prevent brute-force attacks on account recovery codes could be exploited to execute a Denial-of-Service (DoS) attack, rendering the application unavailable during the attack. This vulnerability had a CVSS 3.1 score of 4.6.
Recommended Actions
- Update to the Latest Version: Users of Netwrix PingCastle Pro and Enterprise editions should upgrade to version 3.3.0.1 or later to mitigate these vulnerabilities.
- Review Security Configurations: Ensure that API keys are managed appropriately, account lockout policies are enforced, and shared resources are secured to prevent potential exploitation.
Source: https://borncity.com/win/2024/11/18/vulnerabilities-in-netwrix-pingcastle-pro-enterprise-nov-2024/
