親愛的PRTG用戶
原廠通知有一個已發布的漏洞報告(CVE-2020-14073)有關PRTG 7之後的所有版本,其中透過一種方式,能讓有讀/寫權限的用戶或管理員惡意地使用PRTG其一的地圖物件功能並將已儲存的XSS附載到地圖上,這被視為連鎖攻擊的一部分以欺騙其他用戶執行這個附載。
這將導致什麼後果?
其他用戶(例如:管理員)在打開地圖時可能會被欺騙執行此附載,在PRTG中對地圖功能的惡意使用,原廠不認同此報告所揭露的漏洞,反而允許並鼓勵用戶使用地圖功能來創作豐富的視覺體驗,地圖功能並不會受到真正的限制,因為,腳本代碼的嵌入(embedding of script code)才是該功能的主要關鍵,但原廠仍會尋求這問題的解決方案。
何時發布修復版本?
原廠正在改善這問題帶來的產品影響,希望以更縝密的方式提供用戶更多的功能使用範疇,修改產品文檔讓用戶對於涉及的風險更加清楚。
是否有任何緩解的或建議的解決方法?
目前尚無解決或直接緩解方法,攻擊者至少要拿到具讀/寫權限的有效PRTG帳戶,才能建立或編輯地圖;PRTG管理員可以從PRTG web介面,透過設定(Setup)|系統管理員(System Administration)|使用者帳號(User Accounts)來檢查使用者名單,以重新評估使用者權限或刪除不運作的帳戶,也能透過歷史紀錄查看可能的惡意活動。
產品網頁:https://www.ahasoft.com.tw/web-application/monitor/prtg-detail.html
------------以下為原文------------
[Important security notice for PRTG Network Monitor]
Dear partner,
we want to inform you that there is a published vulnerability report (CVE-2020-14073) that affects all versions as of PRTG 7.
It describes a way in which an authenticated read/write users or admin user could maliciously use one of our map object features to place a stored XSS payload into a map, which could then be leveraged as part of a chained attack to trick another user into executing this payload.
What can happen as a result?
The reported feature itself cannot really be restricted from our point of view because the embedding of script code is a crucial part of the product functionality. We were in contact with the reporter about this and also informed them about the circumstances.
We admit that the current possibilities to restrict the use of this advanced feature may not be sufficient enough. Therefore, we were already in the process of finding a solution to the problem together with our Product Management team.
When do you plan to release a fixed version?
We are currently trying to refine the use case and the connected product functionalities.
In doing so, we hope that we will be able to provide users with a more elaborate way to scope the use of the feature in question in the future.
We will certainly adapt our documentation so that users are made more aware of the risks involved here.
Are there any mitigating factors or recommended workarounds?
Currently, no workaround or direct mitigation is possible. A potential attacker needs to have a valid user account in PRTG with at least read/write permissions to be able to create or edit maps.
A PRTG administrator can check the user base in the PRTG web interface under Setup | System Administration | User Accounts to re-evaluate the access rights granted or to delete inactive user accounts.
Additionally, a PRTG administrator can access the entire object history of all maps via yourprtginstance/objecthistory.htm?tabid=9 and check for possible malicious activity.
沒有留言:
張貼留言