How has security improved in PRTG 23.2.86?

This applies as of PRTG 23.2.86

Summary

As of PRTG 23.2.86, multiple vulnerabilities were addressed. We fixed a path traversal vulnerability that affected the WMI Custom, MySQLv2, and the HL7 sensors. We also fixed a vulnerability that made it possible to bypass the CSRF protection by executing certain HTTP calls. Finally, we fixed a vulnerability present in DICOM sensors and the HL7 sensor that potentially allowed a PRTG user with write permissions to use a debug parameter to create an executable file on the local system.

Details

CVE-2023-31448, CVE-2023-31449, and CVE-2023-31450

A penetration tester brought several possible vulnerabilities to our attention. We fixed a path traversal vulnerability where the WMI Custom, MySQLv2 and the HL7 sensors could be created by an authenticated user with unintended paths to WMI, SQL or HL7 files on the host system and possibly execute arbitrary actions.

For more information on the vulnerabilities, see CVE-2023-31448, CVE-2023-31449, and CVE-2023-31450.

CVE-2023-31452

We fixed a vulnerability where it was possible to bypass the CSRF protection by executing HTTP calls on several endpoints via a GET request.

For more information on the vulnerability, see CVE-2023-31452.

CVE-2023-32781 and CVE-2023-32782

We fixed a vulnerability where a PRTG user with write permissions could trick a few sensors into creating possibly executable files on the host system by defining a debug parameter during the creation of DICOM sensors and the HL7 sensor.

For more information on the vulnerabilities, see CVE-2023-32781 and CVE-2023-32782.

Steps to take

We recommend that you always update to the latest version of PRTG via the Auto-Update feature to maintain the highest level of security.