CVE-2019-14483

Vulnerability

AdRem NetCrunch version 10.6.0.4587 contains a credentials disclosure vulnerability. The credential manager stores private keys (for BSD, Linux, MacOS, Solaris), private key passwords, root passwords, and ESX/Windows passwords. The application fails to enforce proper access controls, allowing any authenticated user to retrieve the complete set of BSD, Linux, MacOS, and Solaris credentials, while administrators can additionally read ESX and Windows passwords [1]. Earlier versions are believed to be affected as well, but only version 10.6.0.4587 was confirmed vulnerable; version 10.6.1.4607 is reported as fixed [1].

Exploitation

Exploitation requires a valid, authenticated session on the NetCrunch web console or fat client. No special privileges beyond authentication are needed to access the Linux, BSD, MacOS, and Solaris credentials. An attacker with administrative privileges can access all credential types, including ESX and Windows passwords. The attack is performed remotely by sending crafted requests to the credential manager endpoints [1].

Impact

Successful exploitation allows an attacker to obtain cleartext credentials and private keys for monitored systems. With these credentials, the attacker can gain unauthorized access to those systems, potentially achieving remote code execution, data exfiltration, or lateral movement within the network. The compromise affects the confidentiality of all stored credentials, with impact varying based on the privileges of the compromised monitored systems [1].

Mitigation

AdRem NetCrunch version 10.6.1.4607 fixes the vulnerability [1]. Organizations running version 10.6.0.4587 or earlier should upgrade immediately. No workarounds are documented. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date.