The following information only affects you if you are running PRTG Network Monitor V15.2.16.2229/2230 (released on April 28th 2015) through V16.1.21.1257/1258 (released on January 18th 2016).
What Happened?
During the test of new PRTG features our Quality Assurance team discovered a possible vulnerability. Our Product Development team immediately started to work on a solution, which was found and implemented within one day. On Monday, January 25th, we made an update available for PRTG which fixes the vulnerability.
We then informed our customers and partners about the security update directly via update notice in PRTG, via email and also via this blog article.
What Can You Do?
The only concise solution is to update to the latest PRTG version as soon as possible! We strongly recommend this to all PRTG users.
- Freeware/Trial-Users: Please go to Setup|Auto Update in the main menu and update your installation (free update).
- Commercial Licenses: This update requires an active maintenance contract. Please go to Setup|Auto Update in the main menu or log in on our customer service portal to check if you still have active maintenance or if you need to renew your maintenance. When in doubt please contact sales@paessler.com for assistance.
What is the Nature of the Vulnerability?
Under certain circumstances a so-called "path traversal attack" was possible. Although being very unlikely to be exploited, attackers could use this to gain access to files on the host which PRTG is installed on.
We do not know of any case where this vulnerability has actually been exploited. We will not publish the technical details so we do not put our customers at risk who have not yet updated.
We are sorry about this incident and have worked hard to provide a fix as soon as possible. We will assist all customers while updating to PRTG V16.1.21.1421/1422 (or later). If you have a trusted Paessler Partner, please contact him. He also will be able to assist you.
Sincerely,
Dirk Paessler, CEO