RCE on PRTG Network Monitor
TEHTRIS PENTEST

Earlier this year, a TEHTRIS team has been mandated in order to conduct a remote pentest.

The maturity level of the information system audited didn’t allow to identify any vulnerability directly exposed on the internet. TEHTRIS then decided to dig deeper into the only accessible component, the web interface of a known network monitoring software named PRTG Network Monitor.

Although this solution was up to date with the last patch provided by its editor PEASSLER, TEHTRIS discovered an unknown vulnerability (#0day) allowing to execute an arbitrary code remotely (RCE) without the need of authentication.

This vulnerability has been assigned with the CVE-2020-10374 number.

Affected systemS

The affected versions by the vulnerability of PAESSLER PRTG Network Monitor are between the 19.2.50 and the 20.1.56 versions of the software.

ETHICAL HACKING

Because of its ethic, especially concerning the discovery of new 0day vulnerabilities, TEHTRIS contacted the editor PAESSLER in order to disclose privately the findings and connected them with the MITRE in order to obtain a CVE number.

PAESSLER has immediately reacted and released a patch and fixed the vulnerability on version “20.1.57.1745”.

TEHTRIS has added the exploitation code to its offensive toolkit but will not publish the exploit in order to prevent it from being appropriated by malicious actors.

As of April 1, 2020, an open source search (OSINT) allowed to identify more than 30,000 PRTG Monitor servers exposed to the Internet.

PARTNERSHIPS

The technical details of this discovery can be transmitted to the partners and customers of TEHTRIS in order to allow the creation of detection signatures or even the cybersurveillance of a PRTG Monitor instance that cannot be updated.

RECOMMENDATIONS

TEHTRIS teams recommend updating the versions of PRTG Monitor by applying the editor’s recommendations.

Furthermore, it is not recommended to expose your monitoring servers to the Internet. As far as possible, we recommend that you protect this type of service by creating an administration bastion that can only be accessed through a secure connection via a VPN using the IPsec protocol.

TEHTRIS teams are at your disposal for any further informations.