CVE-2024-12833

At Paessler, we prioritize the security and reliability of Paessler PRTG Network Monitor for our customers. To keep you informed and updated about the known vulnerability [CVE-2024-12833], we have created this dedicated Knowledge Base (KB) article. Here, you will find all relevant updates and resolutions to address the issue as they are announced.

By consolidating this information in one central resource, we aim to provide a quick and effective resolution, reducing the need for you to submit support tickets. We encourage you to bookmark this page and check back regularly for the latest updates and guidance.

Timeline

January 23th 2025

Root Cause Analysis: CVE-2024-12833

1. Executive Summary

• What happened?
  In March 2024, CVE-2024-12833, a vulnerability affecting Paessler's PRTG product, was reported to the Zero Day Initiative. Unfortunately, due to an issue with email processing, Paessler's security team did not receive the initial communications. This was rectified once the vulnerability was publicly disclosed in December 2024, allowing us to mobilize our team and communicate with all affected customers.
• What did we do and what is the outcome?
  Once made aware, Paessler took action to release a new version of PRTG that contained a hotfix for the vulnerability. Total time from public disclosure to resolution was 10 days. Paessler investigated the email processing issue and implemented controls to correct the problem so it will not occur in the future.

2. Issue Details

• Introduction: At Paessler, we are committed to ensuring the security and reliability of our products. Recently, a security vulnerability, CVE-2024-12833, came to our attention. This article outlines our response and the steps we have taken to protect your systems and enhance our processes.
• Description of the Vulnerability
  • The vulnerability allows for privilege escalation under certain conditions using Cross Site Scripting (XSS), which includes user interaction.
  • We hardened the auto-discovery process against possible injection of malicious content by adding additional validation and sanitization of input data, to mitigate the risk of a stored XSS (Cross-Site Scripting) vulnerability.
• Potential Impact
  • Paessler has categorized the vulnerability as Important.
  • Confidentiality, Integrity and availability were highly affected due to privilege escalation.
  • There is no indication that the vulnerability was exploited by attackers.

3. Discovery Process

• Discovery:
  • CVE-2024-12833 was reported to the Zero Day Initiative (ZDI) in March, 2024. The vulnerability was submitted by an independent researcher.
• Timeline:
  • March 13, 2024: Vulnerability reported to the Zero Day Initiative; contact attempt made.
  • November 16, 2024: Additional contact attempt was made by the Zero Day Initiative.
  • December 30, 2024: Public disclosure of the vulnerability.
  • January 2, 2025: Direct communication with the Zero Day Initiative established; customer notifications distributed.
  • January 3, 2025: A dedicated Knowledge Base was published to centralize information. Development teams reproduce the vulnerability and work on a hotfix.
  • January 9, 2025: Release of PRTG 25.1.102.1373 containing the hotfix for the vulnerability.

4. Root Cause

• Analysis:
  • Paessler was able to reproduce the vulnerability.
  • Paessler and the Zero Day Initiative are coordinating information disclosure on the vulnerability. A staged disclosure process will occur after the next 2 release versions to allow our customers to update the software.

5. Resolution and Mitigation

• Immediate Actions Taken:
  • To address the attack described in CVE-2024-12833 (ZDI-24-1736, ZDI-CAN-23371), we have strengthened the automatic detection process against the possible injection of malicious content by adding additional validation and sanitization of input data to mitigate the risk of a stored cross-site scripting (XSS) vulnerability.
  • The immediate aftermath revealed weaknesses in our vulnerability management submission process, particularly in the reception of communications/emails in an encrypted format. Please see "Lessons Learned" for our measures to improve the vulnerability submission process.

• Long-Term Measures:
  • Rotation duties were added to review the security inbox for correspondence
  • Our technical team continues to work on additional measures to reduce these types of risks
  • Paessler will establish a page on our website dedicated to the vulnerability disclosure submission process

6. Customer Impact:

• Affected Versions:
  • Versions up to and including PRTG 25.1.102.1351
• Updated Versions Available:
  • PRTG 25.1.102.1373
• Recommended Actions:
  • Customers are advised to update to PRTG 25.1.102.1373 to mitigate the vulnerability.

7. Lessons Learned

• Paessler performed a holistic review of the entire vulnerability submission process to look for areas of improvement. Paessler concluded an investigation with the Service Desk vendor to understand why a case was not created for our security team's review. Once we discovered the emails were held in transit, we performed the following changes:
  • Paessler worked with our Service Desk vendor to whitelist the email addresses involved in the disclosure of CVE-2024-12833
  • Access to the Security inbox was expanded to additional staff, with a weekly rotation established for constant review
  • A full search was performed to ensure no other emails were lost
  • Alerting was established when an encrypted message arrives at our inboxes or to our Service Desk
  • Paessler believes these preventive measures will drastically reduce the risk of missing any potential notifications in the future.

8. Transparency and Commitment

• We understand the importance of security in your operations. Paessler is dedicated to maintaining transparent and effective communication with our customers. We appreciate your support and understanding as we continue to enhance our security measures and vulnerability disclosure process.

9. Contact Information

• Support and Security Teams:
  • Paessler Support Team: Sign into : Paessler GmbH
  • Paessler Security Team: security@paessler.com
• Additional Resources:
  • PRTG Network Monitor - Version History

January 16th 2025

Paessler is currently undergoing an internal review to improve the vulnerability submission process and ensure that all potential vulnerability disclosures are promptly and proactively addressed. Findings of this review will be made available through a Root Cause Analysis, and will be made available to customers through this page once our investigation is complete.

January 13th 2025

Paessler deployed PRTG 25.1.102.1373 to all PRTG Hosted instances.

January 10th 2025

Paessler released PRTG 25.1.102.1373 for PRTG Enterprise Monitor today.

Please be aware that an active PRTG subscription or maintenance is required to receive the updated stable release version 25.1.102.1373 that contains the hotfix to mitigate the attack as described in CVE-2024-12883. 

January 9th 2025

Paessler released a new Stable version of Paessler PRTG Network Monitor 25.1.102.1373. This version includes the hotfix to address the attack described in CVE-2024-12833 (ZDI-24-1736, ZDI-CAN-23371). The rollout for Paessler PRTG Hosted Monitor customers is scheduled for Monday, January 13. We will also upload a new Paessler PRTG Enterprise Monitor bundle (Paessler PRTG Network Monitor+ ITOps) in the following days. 

January 8th 2025

Our development and Quality Assurance teams are currently testing a Hotfix to remediate the attack path as described from the Zero Day Initiative. More information will be released shortly, including the release date for the Hotfix.

January 7th 2025

Paessler has performed the following activities in response to the Zero Day Initiative announcement of CVE-2024-12833:

• Paessler has established a direct line of communication with the Zero Day Initiative to understand the disclosure and perform our internal evaluation on their findings
• Paessler has assembled an internal task force to perform validation of the vulnerability report
• Paessler is performing a full Root Cause Analysis (RCA) in parallel to prevent similar issues from occurring in the future, and to implement appropriate safeguards

Next steps:

• Paessler is continuing to certify testing and validation activities in advance of a hotfix/patch
• Paessler will announce required actions to be taken based on the results of our validation review

Disclosure Details

• The notification from ZDI describes a multi-staged attack that allows network-adjacent attackers to inject a stored XSS payload into the system, by leveraging 3rd party maliciously changed endpoints
• User Interaction or a specific auto discovery setup is required to setup the attack
• Additional user interaction on the part of an administrator is required for exploitation
• An attacker can leverage user interaction of an administrator to execute an API call on behalf of the attacker against the system
• As of now, Paessler is not aware of active exploitation or attack

January 3rd 2025

In response of CVE-2024-12833, we are working directly with the Zero Day Initiative to analyze and replicate the reported issue. Once complete, Paessler will provide more information about the severity, applicability and the potential fix. We are currently not aware of any exploitation in the wild.