Can you confirm the vulnerability? Which products and versions are affected by the vulnerability? When do you plan to release a fixed version? Are there any mitigating factors or recommended workarounds?
What's the open vulnerability report CVE-2020-14073 that my security tracker informed me about?
|Important notice: The information in this article applies to PRTG installations as of PRTG 7.|
A statement regarding CVE-2020-14073
In this article, we would like to provide you with an official statement on the vulnerability report and provide you with answers to some questions on the matter.
Can you confirm the vulnerability?
We can confirm the originally reported attack vector, but we did not consent to the vulnerability having been published. The report describes the malicious use of the Maps feature in PRTG.
We allow and encourage users to create a rich visualization experience in their maps. This includes the ability to add active components to maps:
The reported feature itself cannot really be restricted from our point of view because the embedding of script code is a crucial part of the product functionality. We were in contact with the reporter about this and also informed them about the circumstances.
We admit that the current possibilities to restrict the use of this advanced feature may not be sufficient enough. Therefore, we were already in the process of finding a solution to the problem together with our Product Management team.
Due to the reported use case, we are also working on a solution that makes it clearer which risks are involved in using this feature.
Which products and versions are affected by the vulnerability?
All PRTG versions as of PRTG 7.
When do you plan to release a fixed version?
We are currently trying to refine the use case and the connected product functionalities. In doing so, we hope that we will be able to provide users with a more elaborate way to scope the use of the feature in question in the future.
We will certainly adapt our documentation so that users are made more aware of the risks involved here.
Are there any mitigating factors or recommended workarounds?
Currently, no workaround or direct mitigation is possible. A potential attacker needs to have a valid user account in PRTG with at least read/write permissions to be able to create or edit maps.
A PRTG administrator can check the user base in the PRTG web interface under Setup | System Administration | User Accounts to re-evaluate the access rights granted or to delete inactive user accounts. For more information, see PRTG Manual: System Administration—User Accounts.
Additionally, a PRTG administrator can access the entire object history of all maps and check for possible malicious activity via
For more information, see PRTG Manual: Logs.