How to remediate – Netwrix Auditor Web API Detection

1. Introduction

Netwrix Auditor Web API Detection indicates that the web interface for Netwrix Auditor is accessible on a remote host. Netwrix Auditor is an auditing and optimization solution used by businesses to meet compliance requirements. Successful exploitation could allow unauthorised access to audit data. This affects systems running Netwrix Auditor with its web API enabled. The likely impact is moderate confidentiality, integrity, and availability compromise if the API is compromised.

2. Technical Explanation

The vulnerability arises from the presence of a publicly accessible web API for Netwrix Auditor. This API requires HTTP basic authentication credentials to function reliably, but can be detected even without them using SSL certificate analysis and HTTP response headers when paranoid mode is enabled. An attacker could attempt to brute-force these credentials or exploit weaknesses in the API itself.

• Root cause: The Netwrix Auditor Web API is exposed on a network interface, potentially allowing remote access.
• Exploit mechanism: An attacker attempts to access the API endpoint and uses techniques like credential stuffing or brute-force attacks against the HTTP basic authentication scheme.
• Scope: This affects all systems running Netwrix Auditor with the web API enabled, regardless of operating system.

3. Detection and Assessment

Confirming exposure involves checking for the presence of the API endpoint and its associated configuration. A quick check can be done via a network scan. Thorough assessment requires verifying authentication requirements.

• Quick checks: Use a web browser or curl to access the default API URL (typically https:///api).
• Scanning: Nessus plugin ID 165749 can detect Netwrix Auditor Web API. This is an example only, and may require updates.
• Logs and evidence: Check web server logs for requests to the /api endpoint. Event IDs are not typically associated with this detection.

curl -I https:///api

4. Solution / Remediation Steps

Fixing this issue involves restricting access to the Netwrix Auditor Web API or disabling it if it is not required. These steps should be performed during a scheduled maintenance window.

4.1 Preparation

• Ensure you have administrator credentials for the Netwrix Auditor server. A roll back plan is to restore from the pre-change snapshot/backup.
• Changes should be approved by the security team or IT manager.

4.2 Implementation

1. Step 1: Log in to the Netwrix Auditor web console as an administrator.
2. Step 2: Navigate to Administration > System settings > Web API.
3. Step 3: Disable the “Enable Web API” option, or restrict access using IP address filtering.
4. Step 4: Save the changes and restart the Netwrix Auditor service.

4.3 Config or Code Example

Before

Enable Web API: Checked

After

Enable Web API: Unchecked

4.4 Security Practices Relevant to This Vulnerability

List only practices that directly address this vulnerability type. Use neutral wording and examples instead of fixed advice. For example: least privilege, input validation, safe defaults, secure headers, patch cadence. If a practice does not apply, do not include it.

• Practice 1: Least privilege access to limit the impact if the API is compromised.
• Practice 2: Network segmentation to isolate Netwrix Auditor from untrusted networks.

4.5 Automation (Optional)

# Example PowerShell script to disable Web API via Netwrix API (requires appropriate permissions)
# This is an example only and requires modification for your environment.
# $NetwrixServer = "https://your-netwrix-server"
# $Username = "your-username"
# $Password = "your-password"
# Invoke-RestMethod -Uri "$NetwrixServer/api/v1/systemsettings?action=setsetting&name=EnableWebAPI&value=false" -Credential (Get-Credential)

5. Verification / Validation

Confirm the fix by verifying that the API endpoint is no longer accessible or requires restricted access. Perform a smoke test to ensure core functionality remains operational.

• Post-fix check: Use curl -I https:///api and verify it returns a 403 Forbidden error, or does not resolve.
• Re-test: Re-run the Nessus scan (ID 165749) to confirm the vulnerability is no longer detected.
• Smoke test: Log in to the Netwrix Auditor web console and verify you can access audit data.

curl -I https:///api

6. Preventive Measures and Monitoring

Suggest only measures that are relevant to the vulnerability type. Use “for example” to keep advice conditional, not prescriptive.

• Baselines: Update security baselines or policies to include a requirement for disabling unused web APIs.
• Pipelines: Incorporate static code analysis (SAST) into CI/CD pipelines to identify potentially exposed API endpoints during development.
• Asset and patch process: Review Netwrix Auditor configurations regularly as part of an asset management process.

7. Risks, Side Effects, and Roll Back

• Risk or side effect 1: Disabling the Web API may break integrations that rely on it.
• Risk or side effect 2: Restricting access by IP address requires careful planning to avoid blocking legitimate users.
• Roll back: Step 1: Log in to the Netwrix Auditor web console as an administrator. Step 2: Navigate to Administration > System settings > Web API. Step 3: Re-enable the “Enable Web API” option, or remove IP address restrictions. Step 4: Save the changes and restart the Netwrix Auditor service.

8. References and Resources

• Vendor advisory or bulletin: https://www.netwrix.com/auditor.html