Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-22420: Centrify Agent for Windows - Remote Code Execution Vulnerability

Auditing and Monitoring Service ,   Privilege Elevation Service ,  

14 April,20 at 12:46 PM

Updated November 6, 2019

Updated versions are now available on the Centrify Download Center under the name Centrify Infrastructure Services 19.6 for 64-bit Windows (Nov. 2019 Component Update).

---

Security Vulnerability:
It has been brought to our attention that in certain situations the Centrify Agent for Windows, part of Centrify Privilege Elevation Service, can allow an attacker to perform remote code execution.  The Centrify Engineering team has confirmed this vulnerability and discovered that this also applies to Audit Manager, Audit Analyzer and Access Manager; specifically Windows component of Centrify Authentication and Privileged Elevation Services 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.5.0, 3.5.1 (18.8), 3.5.2 (18.11) and 3.6.0 (19.6).  This is related to the .NET framework vulnerability detailed in CVE-2012-0161 and CVE-2019-18631.

Note:  This does not impact the Centrify Client for Windows downloaded from the Privileged Access Service tenants.  The products mentioned above are all downloaded from the Centrify Download Center.


Solution:
Updated 19.6 versions with the fix are available on the Centrify Download Center.  Customers will be required to upgrade to these new versions to fully resolve the issue.


Notes and References:
CVE-2012-0161CVE-2019-18631

 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS articleKB-30546: When using the Centrify Client for Windows™ why must network level authentication (NLA) be disabled? article[Labs] Securing Windows Servers with Centrify Infrastructure Service - Local Password Management articleCentrify 19.5 Release Notes articleKB-6041: How to show current license type in use by adclient articleKB-38689: Are the Centrify products affected by the Windows DNS Server Remote Code Execution Vulnerability CVE-2020-1350 articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? article[Labs] Securing Windows Servers with Centrify Infrastructure Service - Enrollment, Settings and Sets