Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-22420: Centrify Agent for Windows - Remote Code Execution Vulnerability

Auditing and Monitoring Service ,   Privilege Elevation Service ,  

14 April,20 at 12:46 PM

Updated November 6, 2019

Updated versions are now available on the Centrify Download Center under the name Centrify Infrastructure Services 19.6 for 64-bit Windows (Nov. 2019 Component Update).


Security Vulnerability:

It has been brought to our attention that in certain situations the Centrify Agent for Windows, part of Centrify Privilege Elevation Service, can allow an attacker to perform remote code execution.  The Centrify Engineering team has confirmed this vulnerability and discovered that this also applies to Audit Manager, Audit Analyzer and Access Manager; specifically Windows component of Centrify Authentication and Privileged Elevation Services 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.5.0, 3.5.1 (18.8), 3.5.2 (18.11) and 3.6.0 (19.6).  This is related to the .NET framework vulnerability detailed in CVE-2012-0161 and CVE-2019-18631.

Note:  This does not impact the Centrify Client for Windows downloaded from the Privileged Access Service tenants.  The products mentioned above are all downloaded from the Centrify Download Center.

Updated 19.6 versions with the fix are available on the Centrify Download Center.  Customers will be required to upgrade to these new versions to fully resolve the issue.

Notes and References: