PlexTrac believes in maintaining transparency and open communication regarding security matters. This page is a centralized hub where details about newly discovered security flaws are published, along with their severity ratings, affected product versions, and instructions on mitigating or fixing those vulnerabilities.
PlexTrac strongly encourages all users to regularly review this page and promptly apply the recommended mitigations or updates to safeguard their systems against potential security risks.
For additional questions and comments, contact PlexTrac security at security@plextrac.com.
11/05/2024
This is not an incident notice or a breach notification. Your data remains safe, and the integrity of our platform remains intact.
Through collaboration with third-party researchers and processing responsible disclosure, the following security issues have been patched/remediated:
A vulnerability was identified within a dependency used in our runbooks module for handling the upload/import of custom runbooks. The maintainer of the package identified a potential vulnerability within their code and proactively patched it; however, static analysis and software composition analysis tools are not currently reporting or detecting the issue.
An undocumented and unpublished legacy endpoint was identified as having a local file inclusion vulnerability within the PlexTrac platform. Upon discovery, the endpoint was identified as unused based on historic forensic log searching and static analysis for in-code references to the endpoint.
An N1QL injection vulnerability was discovered within a legacy part of the application (slated for deprecation and removal). Upon initial report, the issue had already been resolved and was pending a scheduled platform release.
Within a dependency of PlexTrac's frontend, a denial of service vulnerability was identified. This allowed an attacker to craft a payload resulting in a temporary restart of the web server by oversaturating an active websocket connection.
Upon discovery, the package and its uses were evaluated, resulting in the removal of the vulnerable package and the disabling of the use of the affected websocket endpoint within the platform. No patches were available to resolve the underlying vulnerability.
An unsafe default within an open-source dependency that handles importing runbooks data into the platform was identified, allowing code execution within the legacy runbooks importer.
After concluding the initial triage, PlexTrac's team resolved the issue within the code to rely upon a safe method for handling parsing runbooks data files.
Within the PTRAC report import functionality of the PlexTrac platform, an arbitrary file write vulnerability was detected in the mechanism intended to facilitate transferring report artifacts between instances of the platform. This vulnerability is only exploitable when combined with an arbitrary directory write primitive.
After triage, the team was able to patch the issue and apply both validation/sanitization mechanisms to PTRAC files.
Within the runbooks module's attachment upload function, a directory traversal vulnerability was detected. This allowed end users to write non-arbitrary files outside their intended destination on the remote system to create arbitrary directories. These directories could then be used as part of other vulnerabilities to gain code execution.
Post triage, the team was able to patch the issue, apply both validation/sanitization mechanisms to the affected endpoints and prevent the directory traversal and arbitrary directory creation.
All findings noted above were identified and reported by the NAT Cyber Security Centre team, including:
Arnoldas Radisauskas
Selim Decamps
Ianis Bernard
To date, PlexTrac has not identified any exploitation of the items outlined within this advisory across privately hosted systems managed by PlexTrac's operations team. All items in this advisory were resolved within hours of the report, and your data/systems remain safe and secure.
9/10/2024
An information exposure issue was identified within the platform, which would allow users not granted permission VIEW CLIENT ASSETS
the ability to see information regarding affected assets within API responses.
Permission was enforced in several areas of the application. However, when viewing findings, the affected assets for that finding were inadvertently disclosed in an API response.
The issue has been patched to ensure proper asset restriction when viewing reports and findings throughout the platform.
PlexTrac has region-specific deployment and maintenance windows to accommodate international growth and ensure minimal disruption to the global customer base. This approach offers several key benefits:
Targeted updates: PlexTrac can roll out updates during off-peak hours for each geographic area.
Reduced downtime: Ensures users experience system improvements outside their primary working hours.
Improved responsiveness: This allows PlexTrac to be more agile in addressing region-specific needs or issues.
Better resource allocation: Provides more targeted support and monitoring, ensuring smoother updates.
The start date for each deployment is listed in the Release Notes. The process begins in North America, followed by Australia/Eastern Asia and Europe/Western Asia the following day.
Region | Deployment Timeframe (MDT) | Deployment Timeframe (UTC) | Local Timeframe |
---|---|---|---|
To ensure the best experience when using PlexTrac, the following recommendations for applications and utilities are provided below. These recommendations maximize the functionality and efficiency of PlexTrac's capabilities.
PlexTrac does not support iOS and Android operating systems.
Using an updated browser ensures access to the full range of features available. Other browsers or older versions of supported browsers are not guaranteed to keep all features.
Greetings! This page guides the effective and efficient use of the PlexTrac Documentation website, including navigation, exporting content, leaving feedback, and using search.
The main navigation menu is on the left sidebar, and it features links to various sections and pages of the website. These links act as gateways to specific areas, allowing you to find the information you need quickly. To navigate to the desired section, simply click on the corresponding link.
This site contains four main sections:
🟣 Product Documentation: This includes the home page and general information about PlexTrac that applies to all users, along with the following helpful resources: a quick start guide for new users, a page highlighting new end-user features, and release notes.
🟣 PlexTrac Modules: This includes all the modules in the platform, including those licensed.
🟣 Tenant Management: This guide is for administrators and covers various PlexTrac topics. It includes information on the admin dashboard, authentication configuration, integrations, third-party file imports, supported operating systems and browsers.
🟣 API Documentation: This section provides a comprehensive guide on how to use our API. It includes a "Getting Started" guide, a list of object structures and their attributes, and practical use cases. The documentation also outlines the API Change policy and logs the changes to ensure transparency and inform users of any updates or changes.
This website provides multiple search options: keyword search, phrases in the form of a question, or selecting a query provided in the pulldown list.
To initiate a search query, click the "Search" box at the top right corner of the page or use the keyboard shortcut Ctrl-k
.
Users who type in the search bar will see dynamic search results. The search results will display relevant pages on the site for preview and context, which can be clicked to visit.
Clicking a question provides answers in the search box with relevant information and sourcing listed at the bottom.
Export to PDF is a function that downloads a digital file of a page or pages in PDF format that can be viewed, printed, and shared offline. To export a page, click Export as PDF, which can be found at the end of the page headings at the top right.
A preview page that can be printed or saved as a PDF appears.
Each page has a timestamp of when it was last updated.
Each page allows reader feedback on the helpfulness of the content (not a rating of the product functionality discussed on the page). Provide feedback by clicking one of the three options.
PlexTrac helps cybersecurity teams improve and centralize workflow management processes across the entire lifecycle. The platform streamlines all aspects of the process, from staging offensive engagements and conducting assessments to analyzing data and reporting, prioritizing critical issues, collaborating between teams, and communicating with stakeholders.
Visit the Using This Site page for orientation and tips about using the site navigation, exporting pages to PDF, using search, and leaving page feedback.
When logging in to PlexTrac, users are greeted by the Dashboard page. Seven modules exist besides the Dashboard: Clients, Assessments, Reports, Priorities, Content Library, Analytics, and Runbooks.
Click a box to learn about a module.
PlexTrac provides many options for configuring a tenant. Below are links to documentation for administration tasks, configuring user-specific settings, configuring authentication (OATH and SAML), integrating with APIs and parsers, installing and maintaining PlexTrac locally, and much more.
Click a box to learn about a topic.
Australia/Eastern Asia
09:00 - 12:00
15:00 - 18:00
01:00 - 04:00 (SYD)
Europe/Western Asia
14:00 - 17:00
20:00 - 23:00
21:00 - 00:00 (LON)
North America
21:00 - 00:00 (following day)
03:00 - 06:00 (following day)
23:00 - 02:00 (NYC)