New Question
 
 
PRTG Network Monitor

Intuitive to Use.
Easy to manage.

200.000 administrators have chosen PRTG to monitor their network. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free PRTG
Download >>

 

What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

 

Top Tags


View all Tags


What's the open vulnerability report CVE-2020-14073 that my security tracker informed me about?

Votes:

0

Your Vote:

Up

Down

Can you confirm the vulnerability? Which products and versions are affected by the vulnerability? When do you plan to release a fixed version? Are there any mitigating factors or recommended workarounds?

cve-2020-14073 map-designer maps prtg security

Created on Jun 26, 2020 8:42:21 AM by  Brandy Greger [Paessler Support]

Last change on Jun 26, 2020 12:06:41 PM by  Brandy Greger [Paessler Support]



1 Reply

Accepted Answer

Votes:

0

Your Vote:

Up

Down

Important notice: The information in this article applies to PRTG installations as of PRTG 7.

A statement regarding CVE-2020-14073

In this article, we would like to provide you with an official statement on the vulnerability report and provide you with answers to some questions on the matter.

Can you confirm the vulnerability?

We can confirm the originally reported attack vector, but we did not consent to the vulnerability having been published. The report describes the malicious use of the Maps feature in PRTG.

We allow and encourage users to create a rich visualization experience in their maps. This includes the ability to add active components to maps:

The reported feature itself cannot really be restricted from our point of view because the embedding of script code is a crucial part of the product functionality. We were in contact with the reporter about this and also informed them about the circumstances.

We admit that the current possibilities to restrict the use of this advanced feature may not be sufficient enough. Therefore, we were already in the process of finding a solution to the problem together with our Product Management team.

Due to the reported use case, we are also working on a solution that makes it clearer which risks are involved in using this feature.

Which products and versions are affected by the vulnerability?

All PRTG versions as of PRTG 7.

When do you plan to release a fixed version?

We are currently trying to refine the use case and the connected product functionalities. In doing so, we hope that we will be able to provide users with a more elaborate way to scope the use of the feature in question in the future.

We will certainly adapt our documentation so that users are made more aware of the risks involved here.

Are there any mitigating factors or recommended workarounds?

Currently, no workaround or direct mitigation is possible. A potential attacker needs to have a valid user account in PRTG with at least read/write permissions to be able to create or edit maps.

A PRTG administrator can check the user base in the PRTG web interface under Setup | System Administration | User Accounts to re-evaluate the access rights granted or to delete inactive user accounts. For more information, see PRTG Manual: System Administration—User Accounts.

Additionally, a PRTG administrator can access the entire object history of all maps and check for possible malicious activity via https://<yourprtginstance>/objecthistory.htm?tabid=9

For more information, see PRTG Manual: Logs.

Created on Jun 26, 2020 8:50:22 AM by  Brandy Greger [Paessler Support]

Last change on Jun 26, 2020 9:25:54 AM by  Brandy Greger [Paessler Support]



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.