Jump to content


Photo

Is this expected behavior for the Account Lockout Examiner tool?

security lockout examiner

  • Please log in to reply
1 reply to this topic

#1 fisherr09

fisherr09

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 24 June 2016 - 07:07 PM

Our security team has noticed our tipping point appliance blocking traffic between the server running the Netwrix Account Lockout Examiner and clients on the network.  Tipping point is reporting this traffic as exploits, and the exploit is "MS-RPC Samba RPC Heap Overflow" which is part of the zero day initiative (ZDI-07-033)

 

We are running version 4.1.417 of the Netwrix Account Lockout Examiner on Windows server 2012.

 

This is the only software running on this server, and when I disable the Netwrix Account Lockout Examiner service the traffic to the clients stops.

 

I'm suspecting it has to do with the tool trying to verify the source of the bad password attempts/lockout, but wanted to see if I could get confirmation on this and that the traffic is normal and by design.

 

Thank you!



#2 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 384 posts
  • Gender:Male

Posted 29 June 2016 - 04:26 PM

fisherr09,

 

The RPC traffic is to be expected as RPC calls are used to connect to machines to grab lockout events.  Also, the vulerability you are speaking of was fixed back in 2007: https://www.samba.or...-2007-2446.htmlhttps://www.samba.or...-2007-2446.html

 

Thanks,

Jeff B






0 user(s) are reading this topic

0 members, guests, anonymous users