[German]Brief information for administrators and IT service providers who use PingCastle (now part of Netwrix) to analyze Active Directory security. Due to vulnerabilities in the code, older versions of the Enterprise and Pro editions of the tool should no longer be used for security reasons. Netwrix has updated PingCastle Enterprise and Pro to version 3.3.0.1 o to close the vulnerabilities.
What is Netwrix PingCastle?
PingCastle is a tool for quickly assessing an Active Directory security level. Semperis summarizes it here: PingCastle can quickly scan permissions to detect such delegation vulnerabilities. The tool also provides a report based on an anomaly analysis that provides insight into unwanted access rights that may exist for critical objects in your AD environment. In addition to assessing AD deployments, PingCastle scans workstations for issues such as local admin rights, open shares with insufficient security permissions, WannaCry vulnerabilities and boot time anomalies. PingCastle has since been acquired by Netwrix.
Update PingCastle due to vulnerability
German blog reader Andy Wendel contacted me on Facebook in a private message (thanks for that) and informed me that administrators should no longer use PingCastle in certain versions and editions. In older versions of PingCastle Enterprise and PingCastle Enterprise Pro, there is probably an attack vector (currently not yet exploited) that compromises Active Directory installations.
There appears to have been a security warning from Netwrix to customers as early as November 1, 2024, which was then updated on November 14, 2024. The content of the security alert is that several vulnerabilities were identified and fixed during a routine security review by Netwrix in PingCastle Enterprise and PingCastle Enterprise Pro.
The vulnerabilities could allow an attacker to make PingCastle Enterprise and Pro unusable or allow unauthorized access to the application. However, Netwrix has no evidence of active exploitation of any of these vulnerabilities.
All Netwrix PingCastle Enterprise and Pro customers are advised to update PingCastle Enterprise and PingCastle Enterprise Pro to version 3.3.0.1 or higher as soon as possible.
List of vulnerabilities
Here is a list of the vulnerabilities documented by Netwrix in PingCastle Enterprise and PingCastle Enterprise Pro:
Broken Authentication – API Key State Ignored
Netwrix PingCastle Enterprise and Pro in versions prior to < 3.3.0.1 7.7 allow access with disabled API keys, which may allow an attacker in possession of the disabled API key to gain unauthorized access to the application. The vulnerability was rated with a CVSS 3.1 score of 6.5.
Account Policy – Weak Lockout Policy
Netwrix PingCastle Enterprise and Pro versions prior to < 3.3.0.1 7.6 do not enforce an account lockout policy. This increases the likelihood that a malicious actor can gain unauthorized access to the application through dictionary attacks on known user accounts that do not have MFA enabled. The vulnerability was rated with a CVSS 3.1 score of 7.1.
Denial of Service – Shared Resource Lock
Netwrix PingCastle Enterprise and Pro versions < 3.3.0.1 4.9 use a shared resource to prevent brute force attacks on account recovery codes. This may allow an attacker to perform a denial of service (DOS) attack that renders the application unavailable for the duration of the attack. The vulnerability has been assigned a CVSS 3.1 score of 4.6.
Published: November 14, 2024
Executive Summary
Several vulnerabilities were identified and remediated during a routine security review of Netwrix PingCastle Enterprise and Pro. The vulnerabilities may allow an attacker to render PingCastle Enterprise and Pro unavailable or to gain unauthorized access to the application.Netwrix is unaware of any evidence of active exploitation of any of these vulnerabilities.
Vulnerability
Title Affected Component Affected Versions CVSS 4.0 Score CVSS 3.1 Score (Base / Temporal) DescriptionBroken Authentication – API Key State Ignored Netwrix PingCastle Enterprise and Pro < 3.3.0.1 7.7
7.5 / 6.5
Netwrix PingCastle Enterprise and Pro allow access using API keys that have been disabled which may allow an attacker in possession of the disabled API key, to gain unauthorized access to the application.Account Policy – Weak Lockout Policy Netwrix PingCastle Enterprise and Pro < 3.3.0.1 7.6
8.1 / 7.1
Netwrix PingCastle Enterprise and Pro do not enforce an account lockout policy which increases the chance that a malicious actor could gain unauthorized access to the application by conducting dictionary attacks against known user accounts which do not have MFA enabled.Denial of Service – Shared Resource Lock Netwrix PingCastle Enterprise and Pro < 3.3.0.1 4.9
5.3 / 4.6
Netwrix PingCastle Enterprise and Pro use a shared resource to prevent brute force attacks against account recovery codes which may allow an attacker to execute a denial of service (DOS) attack rendering the application unavailable for the duration of the attack.Exploitability
Factors such as whether details about the vulnerability are publicly known, whether an exploit is readily available, or whether adversaries are actively exploiting the vulnerability are valuable in making risk-based judgements about urgency and priority; customers should use the information below in making those decisions.Title Publicly known? Exploit available? Actively exploited?
Broken Authentication – API Key State Ignored No No No
Account Policy – Weak Lockout Policy No No No
Denial of Service – Shared Resource Lock No No No
SolutionAll Netwrix PingCastle Enterprise and Pro customers are advised to update PingCastle Enterprise and Pro to version 3.3.0.1 or later as soon as possible.
Instructions for the Netwrix PingCastle Enterprise upgrade process can be found in this help center article.
Instructions for the Netwrix PingCastle Pro upgrade process can be found in this help center article.
Please contact the Netwrix technical support team should you need assistance.
Official Fixes: Updated software has been released containing official fixes for all listed vulnerabilities as indicated in the table below. Please ensure you apply the correct hotfix to the version of Netwrix PingCastle you are using.
Title Version
Broken Authentication – API Key State Ignored 3.3.0.1
Account Policy – Weak Lockout Policy 3.3.0.1
Denial of Service – Shared Resource Lock 3.3.0.1FAQ
1. How do I determine the current version of Netwrix PingCastle?The current Netwrix PingCastle Enterprise and Pro version can be found by clicking the About link at the bottom each page in Netwrix PingCastle Enterprise and Pro.
2. Are Netwrix PingCastle Basic or Standard versions affected?
No, only Netwrix PingCastle Enterprise and Pro is affected by the vulnerabilities listed above.
Revision Date Description
1 November 14, 2024 First published
Addendum: Vincent Le Toux sent me the following statement on X:
The note issued by netwrix describes issues that are not exploitable in real life (brute force of a MFA recovery key or XSS mitigated by the CSP header that prohibit the use of JavaScript to « explicitly allowed ») Please relativise the importance of the bugs fixed.