A webserver component in Paessler PRTG Network Monitor 19.2.50 to PRTG 20.1.56 allows unauthenticated remote command execution

Neerpelt Overview :
A webserver component in Paessler PRTG Network Monitor 19.2.50 to PRTG 20.1.56 allows unauthenticated remote command execution via a crafted POST request or the what parameter of the screenshot function in the Contact Support form.

CVE-2020-10374

How can I mitigate CVE-2020-10374 until I can update?

I want to make sure that a remote code execution (RCE) of a UNC path on the PRTG core server system with the security context of the PRTG core server service (CVE-2020-10374) is not possible until I can update to PRTG versions as of  arithmetically PRTG 20.1.57.

What CVE-2020-10374 is about

With a carefully crafted POST request, a possible attacker can perform an RCE by executing a UNC path on the PRTG core server system with the security context of the PRTG core server service, without the need of an authenticated session.

By utilizing the what parameter of the screenshot function that is used in the Contact Support form in PRTG, for example, an attacker is able to inject a crafted, URI-compatible UNC path that is executed as part of the caller chain down to the Chromium engine to create the screenshot.

Note: As soon as you have updated to version 20.1.57.1745, your PRTG installation is not vulnerable to CVE-2020-10374 anymore and you do not have to perform the steps described below.

How to mitigate CVE-2020-10374

To mitigate the security issue, you have the following options.

Option 1: Web application firewall

If you have a web application firewall (WAF), you can block HTTP POST and GET requests that contain the what parameter, or you can delete or overwrite the what parameter.

Note: This process differs depending on the WAF you use. For detailed instructions, please refer to the respective product’s documentation.

Option 2: No web application firewall

If you do not have a WAF and if you do not need to generate any PDF reports for PRTG until you can update to the latest PRTG version, go to C:\Program Files (x86)\PRTG Network Monitor\Sensor System and rename the file reporter.exe to break the calling chain of the attack vector.

Note: This does not affect any major PRTG functionality. Generating screenshots and PDF reports,

References

Common Vulnerabilityies and Exposures

Contact us to get started

CVE-2024-39565 : JUNIPER NETWORKS JUNOS OS UP TO 23.4R1-S1J-WEB XPATH INJECTION

CVE-2024-39565 : JUNIPER NETWORKS JUNOS OS UP TO 23.4R1-S1J-WEB XPATH INJECTION

Description An Improper Neutralization of Data within XPath Expressions (‘XPath Injection’) vulnerability in J-Web shipped with Juniper Networks Junos OS

CVE-2024-6624 : JSON API USER PLUGIN UP TO 3.9.3 ON WORDPRESS REMOTE CODE EXECUTION

CVE-2024-6624 : JSON API USER PLUGIN UP TO 3.9.3 ON WORDPRESS REMOTE CODE EXECUTION

Description The JSON API User plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including,

CVE-2024-37310 : EVEREST CORE PRIOR 2024.3.1/2024.6.0 V2G_SERVER.CPP V2G_INCOMING_V2GTP HEAP-BASED OVERFLOW

CVE-2024-37310 : EVEREST CORE PRIOR 2024.3.1/2024.6.0 V2G_SERVER.CPP V2G_INCOMING_V2GTP HEAP-BASED OVERFLOW

Description EVerest is an EV charging software stack. An integer overflow in the “v2g_incoming_v2gtp” function in the v2g_server.cpp implementation can