ICS Security expert at Positive Technologies, Alexander Melkikh, discovered a vulnerability in PRTG Network Monitor software developed by Paessler, Germany. The software is used by a number of companies in various industries to control the condition of devices on the network. Currently there are over 16,000 hosts which have this software in the USA, Brazil, Germany, Russia and other countries, all available on the Internet.
Vulnerability CVE-2019-19119 means that a hashed password can be used as an authentication factor in some API handlers. That would provide access to the PRTG Network Monitor software functionality.
This software is often installed on boundary hosts – for instance, between a trusted and an untrusted network. If attackers accessed this software, they can extract detailed information on network hosts and their configuration. This provides a wide range of opportunities for an attack. The specialists also found that the used function of password hash calculation is not cryptographically secure and cannot be called a one-way cryptographic algorithm for hash function calculation. The mechanism is also vulnerable to collisions. That makes it possible to find the source password or a collision for its hash, if the attackers know the hash and the cryptographic salt (these values are stored in the public branch of the OS registry).
We should note that Positive Technologies experts already found vulnerabilities in the web interface of that software back in 2018 (CVE-2018-19203, CVE-2018-19204, CVE-2018-19410, CVE-2018-19411). Those vulnerabilities were classified as high-risk and critical risk.
“There is no denying that uninterrupted operation of modern IT infrastructure is hard to ensure without software for its monitoring and control. However, during assessment of potential cyberthreats, we should not disregard auxiliary software. It should also be studied for potential vulnerabilities, especially if the software is used for ensuring standard functioning of the company’s primary business, for instance, ICS. In addition to vulnerabilities in PRTG Monitor, during ICS security assessment in other projects we encountered other similar software, called WhatsUP Gold, where our specialists also found vulnerabilities. For example, one of the vulnerabilities allows a remote attacker to have access to the entire infrastructure on the server and create space for further attacks against the infrastructure,” said Vladimir Nazarov, Head of ICS Security, Positive Technologies.