CVE-2023-41264
📋 TL;DR
This vulnerability allows authentication bypass on Netwrix Usercube deployment endpoints in misconfigured on-premises installations, leading to privilege escalation. Attackers can exploit this to gain unauthorized access and potentially take control of the system. Only installations missing required restSettings.AuthorizedClientId and restSettings.AuthorizedSecret fields are affected.
💻 Affected Systems
- Netwrix Usercube
📦 What is this software?
Usercube by Netwrix
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with administrative privileges, allowing attackers to export configuration data, modify deployment settings, and potentially execute arbitrary code.
Likely Case
Unauthorized access to deployment endpoints leading to privilege escalation, configuration export, and potential lateral movement within the network.
If Mitigated
No impact if proper authentication controls are configured with required restSettings fields.
🎯 Exploit Status
Exploitation requires identifying misconfigured endpoints and sending unauthenticated POST requests to /api/Deployment/ExportConfiguration and /api/Deployment endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.0.215 or later
Vendor Advisory: https://www.netwrix.com/identity_governance_and_administration_solution.html
Restart Required: Yes
Instructions:
1. Upgrade Netwrix Usercube to version 6.0.215 or later. 2. Verify configuration includes restSettings.AuthorizedClientId and restSettings.AuthorizedSecret fields. 3. Restart the Usercube service.
🔧 Temporary Workarounds
Configure Authentication Settings
windowsManually add required restSettings.AuthorizedClientId and restSettings.AuthorizedSecret fields to configuration
Edit configuration file to include: "restSettings": {"AuthorizedClientId": "your-client-id", "AuthorizedSecret": "your-secret-key"}
Restrict Network Access
windowsBlock access to deployment endpoints using firewall rules
netsh advfirewall firewall add rule name="Block Usercube Deployment Endpoints" dir=in action=block protocol=TCP localport=443 remoteip=any program="path\to\usercube.exe"
🧯 If You Can't Patch
- Ensure restSettings.AuthorizedClientId and restSettings.AuthorizedSecret are properly configured in all Usercube installations
- Implement network segmentation to restrict access to Usercube deployment endpoints from untrusted networks
🔍 How to Verify
Check if Vulnerable:
1. Check Usercube version (should be < 6.0.215). 2. Review configuration file for presence of restSettings.AuthorizedClientId and restSettings.AuthorizedSecret fields. 3. Test POST requests to /api/Deployment/ExportConfiguration endpoint without authentication.Check Version:
Check Usercube web interface or configuration files for version informationVerify Fix Applied:
1. Confirm version is 6.0.215 or higher. 2. Verify configuration contains proper restSettings fields. 3. Test that unauthenticated POST requests to deployment endpoints return authentication errors.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated POST requests to /api/Deployment endpoints
- Successful configuration export without authentication logs
- Authentication failure logs followed by successful deployment operations
Network Indicators:
- Unusual POST requests to deployment endpoints from unexpected IP addresses
- Configuration data being transmitted to unauthorized destinations
SIEM Query:
source="usercube.logs" AND (uri="/api/Deployment" OR uri="/api/Deployment/ExportConfiguration") AND (response_code=200 OR response_code=201) AND user="anonymous"🔗 References
- https://www.netwrix.com/identity_governance_and_administration_solution.html
- https://www.synacktiv.com/advisories/usercube-netwrix-multiple-vulnerabilities
- https://www.netwrix.com/identity_governance_and_administration_solution.html
- https://www.synacktiv.com/advisories/usercube-netwrix-multiple-vulnerabilities
