PlexTrac helps cybersecurity teams improve and centralize workflow management processes across the entire lifecycle. The platform streamlines all aspects of the process, from staging offensive engagements and conducting assessments to analyzing data and reporting, prioritizing critical issues, collaborating between teams, and communicating with stakeholders.

PlexTrac Modules

When logging in to PlexTrac, users are greeted by the Dashboard page. Seven modules exist besides the Dashboard: Clients, Assessments, Reports, Priorities, Content Library, Analytics, and Runbooks.

Click a box to learn about a module.

Tenant Management

PlexTrac provides many options for configuring a tenant. Below are links to documentation for administration tasks, configuring user-specific settings, configuring authentication (OATH and SAML), integrating with APIs and parsers, installing and maintaining PlexTrac locally, and much more.

Click a box to learn about a topic.

Greetings! This page guides you in using the PlexTrac Documentation website effectively and efficiently, including navigation, exporting content, leaving feedback, and using search.

Left Navigation Bar

The main navigation menu is on the left sidebar. It features links to various sections and pages of the website. These links act as gateways to specific areas, allowing you to find the information you need quickly. To navigate to the desired section, simply click on the corresponding link.

This site contains four main sections:

🟣 Product Documentation: This includes the home page and general information about PlexTrac that applies to all users, along with the following helpful resources: a quick start guide for new users, a page highlighting new end-user features, and release notes.

🟣 PlexTrac Modules: This includes all the modules in the platform, including those licensed.

🟣 Tenant Management: This guide is for administrators and covers various PlexTrac topics. It includes information on the admin dashboard, authentication configuration, integrations, third-party file imports, supported operating systems and browsers.

🟣 API Documentation: This section provides a comprehensive guide on how to use APIs and webhooks. It includes a "Getting Started" guide, a list of object structures and their attributes, and practical use cases. The documentation also outlines the API Change policy and logs the changes to ensure transparency and inform users of any updates or changes.

Search

This website provides multiple search options: keyword search, phrases in the form of questions, or selecting a query from the pulldown list.

To initiate a search query, click the "Search" box at the top right corner of the page or use the keyboard shortcut Ctrl-k.

Users who type in the search bar will see dynamic search results. The search results will display relevant pages on the site for preview and context, which can be clicked to visit.

Clicking a question provides answers in the search box with relevant information and sourcing listed at the bottom.

Export to PDF

Export to PDF is a function that downloads a digital file of a page or pages in PDF format that can be viewed, printed, and shared offline. To export a page, click Export as PDF, which can be found at the end of the page headings at the top right.

A preview page that can be printed or saved as a PDF appears.

Page Published Date

Each page has a timestamp of when it was last updated.

Page Rating

Each page allows readers to provide feedback on the helpfulness of the content (not a rating of the product functionality discussed on the page). Click one of the three options to provide feedback.

PlexTrac has region-specific deployment and maintenance windows to accommodate international growth and ensure minimal disruption to the global customer base. This approach offers several key benefits:

• Targeted updates: PlexTrac can roll out updates during off-peak hours for each geographic area.

• Reduced downtime: Ensures users experience system improvements outside their primary working hours.

• Improved responsiveness: This allows PlexTrac to be more agile in addressing region-specific needs or issues.

• Better resource allocation: Provides more targeted support and monitoring, ensuring smoother updates.

Deployment Regions and Timeframes

The start date for each deployment is listed in the Release Notes. The process begins in North America, followed by Australia/Eastern Asia and Europe/Western Asia the following day.

To ensure the best experience when using PlexTrac, the following recommendations for applications and utilities are provided below. These recommendations maximize the functionality and efficiency of PlexTrac's capabilities.

Operating Systems

Desktop and Laptop Browsers

Using an updated browser ensures access to the full range of features available. Other browsers or older versions of supported browsers are not guaranteed to keep all features.

Windows

macOS

PlexTrac believes in transparency and open communication regarding security matters. This page is a centralized hub where details about newly discovered security flaws, severity ratings, affected product versions, and instructions on mitigating or fixing those vulnerabilities are published.

PlexTrac strongly encourages all users to regularly review this page and promptly apply the recommended mitigations or updates to safeguard their systems against potential security risks.

Release 2.11.0

11/05/2024

This is not an incident notice or a breach notification. Your data remains safe, and the integrity of our platform remains intact.

Through collaboration with third-party researchers and processing responsible disclosure, the following security issues have been patched/remediated:

Server-side Request Forgery (SSRF)

A vulnerability in the PlexTrac application allowed an attacker to interact with internal application components by utilizing a server-side request forgery variable. Upon discovery, the endpoint was identified as unused based on historic forensic log searching and static analysis of in-code references.

Insecure Deserialization via Runbooks Imports

A vulnerability was identified in a dependency used in our runbooks module to handle the upload/import of custom runbooks. The package maintainer identified a potential vulnerability in their code and proactively patched it; however, static analysis and software composition analysis tools are not currently reporting or detecting the issue.

Local File Inclusion

An undocumented and unpublished legacy endpoint was identified as having a local file inclusion vulnerability within the PlexTrac platform. Upon discovery, the endpoint was identified as unused based on historic forensic log searching and static analysis for in-code references to the endpoint.

N1QL Injection

An N1QL injection vulnerability was discovered within a legacy part of the application (slated for deprecation and removal). Upon initial report, the issue had already been resolved and was pending a scheduled platform release.

Denial of Service

Within a dependency of PlexTrac's frontend, a denial of service vulnerability was identified. This allowed an attacker to craft a payload, resulting in a temporary restart of the web server by oversaturating an active websocket connection.

Upon discovery, the package and its uses were evaluated, resulting in the removal of the vulnerable package and the disabling of the use of the affected websocket endpoint within the platform. No patches were available to resolve the underlying vulnerability.

Insecure YAML Deserialization

An unsafe default within an open-source dependency that handles importing runbooks data into the platform was identified, allowing code execution within the legacy runbooks importer.

After concluding the initial triage, PlexTrac's team resolved the issue within the code to rely upon a safe method for handling parsing runbooks data files.

Arbitrary File Write via PTRAC Import

Within the PTRAC report import functionality of the PlexTrac platform, an arbitrary file write vulnerability was detected in the mechanism intended to facilitate transferring report artifacts between instances of the platform. This vulnerability is only exploitable when combined with an arbitrary directory write primitive.

After triage, the team was able to patch the issue and apply both validation/sanitization mechanisms to PTRAC files.

Arbitrary Directory Write via Runbooks Artifact Upload

Within the runbooks module's attachment upload function, a directory traversal vulnerability was detected. This allowed end users to write non-arbitrary files outside their intended destination on the remote system to create arbitrary directories. These directories could then be used as part of other vulnerabilities to gain code execution.

Post triage, the team was able to patch the issue, apply both validation/sanitization mechanisms to the affected endpoints and prevent the directory traversal and arbitrary directory creation.

All findings noted above were identified and reported by the NAT Cyber Security Centre team, including:

• Arnoldas Radisauskas

• Selim Decamps

• Ianis Bernard

To date, PlexTrac has not identified any exploitation of the items outlined within this advisory across privately hosted systems managed by PlexTrac's operations team. All items in this advisory were resolved within hours of the report, and your data/systems remain safe and secure.

Release 2.9.0

9/10/2024 An information exposure issue was identified within the platform, which would allow users not granted permission VIEW CLIENT ASSETS the ability to see information regarding affected assets within API responses. Permission was enforced in several areas of the application. However, when viewing findings, the affected assets for that finding were inadvertently disclosed in an API response. The issue has been patched to ensure proper asset restriction when viewing reports and findings throughout the platform.