Checkmk werks security November 2023

checkmk-werks-sec@lists.checkmk.com

1 participants
16 discussions

[1.2.5] Checkmk Werk 978 adapted: Fix security issue with mk-job on Linux

by Checkmk security werks

Werk 978 was adapted. The following is the new Werk, a diff is shown at the end of the message. Title: Fix security issue with mk-job on Linux Level: 2 Component: checks Version: 1.2.5i3 Date: 1401093260 Class: security Compatible: incomp By use of symlinks or hardlinks normal users could inject files to be read with root permissions. This was due to the fact that <tt>/var/lib/check_mk_agent/job</tt> was installed with the permissions <tt>1777</tt>, just as <tt>/tmp</tt>. That way a normal user could have placed a symlink to a file there that is only readable by <tt>root</tt>. The content of that file would then appear in the agent output. This has been fixed by not longer using <tt>/var/lib/check_mk_agent/job</tt> directly, but by creating a separate subdirectory below that for each user. This is done by a new version of <tt>/usr/bin/mk-job</tt>, so please make sure that if you update the agent that you also update <tt>mk-job</tt>. Also you now have to create job subdirectories for non-<tt>root</tt> jobs manually. If you have a job running as user <tt>foo</tt>, then do: C+: RP:mkdir -p /var/lib/check_mk_agent/job RP:chown foo:foo /var/lib/check_mk_agent/job C-: If you update the Check_MK Agent with RPMs/DEB from the new agent bakery or by an RPM/DEB created from the source code with <tt>make rpm</tt> or <tt>make deb</tt> then the permissions of <tt>/var/lib/check_mk_agent/job</tt> are automatically fixed. If you have installed the agent manually then please make sure that the permissions of the job directory are set properly: C+: RP:chmod 755 /var/lib/check_mk_agent/job C-: ------------------------------------<diff>------------------------------------------- Title: Fix security issue with mk-job on Linux Level: 2 Component: checks Version: 1.2.5i3 Date: 1401093260 Class: security Compatible: incomp By use of symlinks or hardlinks normal users could inject files to be read with root permissions. This was due to the fact that <tt>/var/lib/check_mk_agent/job</tt> was installed with the permissions <tt>1777</tt>, just as <tt>/tmp</tt>. That way a normal user could have placed a symlink to a file there that is only readable by <tt>root</tt>. The content of that file would then appear in the agent output. This has been fixed by not longer using <tt>/var/lib/check_mk_agent/job</tt> directly, but by creating a separate subdirectory below that for each user. This is done by a new version of <tt>/usr/bin/mk-job</tt>, so please make sure that if you update the agent that you also update <tt>mk-job</tt>. Also you now have to create job subdirectories for non-<tt>root</tt> jobs manually. If you have a job running as user <tt>foo</tt>, then do: C+: RP:mkdir -p /var/lib/check_mk_agent/job - RP:chown foo.foo /var/lib/check_mk_agent/job ? ^ + RP:chown foo:foo /var/lib/check_mk_agent/job ? ^ C-: If you update the Check_MK Agent with RPMs/DEB from the new agent bakery or by an RPM/DEB created from the source code with <tt>make rpm</tt> or <tt>make deb</tt> then the permissions of <tt>/var/lib/check_mk_agent/job</tt> are automatically fixed. If you have installed the agent manually then please make sure that the permissions of the job directory are set properly: C+: RP:chmod 755 /var/lib/check_mk_agent/job C-:

5 months, 3 weeks

[2.1.0] Checkmk Werk 16224 created: CSRF in user-message deletion

by Checkmk security werks

Title: CSRF in user-message deletion Class: security Compatible: compat Component: wato Date: 1700648297 Edition: cre Level: 1 Version: 2.1.0p37 In Checkmk you can message other users via Send user message. Prior to this Werk an authenticated attacker who receives such a user-message could craft a link with the generated message uuid to delete the message. This link was prone to CSRF and when another user was tricked into opening this link the message was deleted possibly before the user could read it. LI: This vulnerability was identified through a commissioned penetration test conducted by Port Zero. Affected Versions: * 2.2.0 * 2.1.0 * 2.0.0 Vulnerability Management: We have rated the issue with a CVSS Score of 3.5 (Low) with the following CVSS vector: <tt>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N</tt>. We assigned CVE-2023-6251 to this vulnerability. Changes: This Werk adds CSRF token validation to this endpoint.

6 months

[2.1.0] Checkmk Werk 16221 created: Livestatus Injections

by Checkmk security werks

Title: Livestatus Injections Class: security Compatible: compat Component: wato Date: 1700066363 Edition: cre Level: 1 Version: 2.1.0p37 Prior to this Werk it was possible to inject arbitrary livestatus commands to the core via the WebUI. We found this vulnerability internally. Affected Versions: * 2.2.0 * 2.1.0 * 2.0.0 Vulnerability Management: We have rated the issue with a CVSS Score of 7.6 (High) with the following CVSS vector: <tt>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H</tt>. We assigned CVE-2023-6156 and CVE-2023-6157 to these vulnerabilities. Changes: This Werk strips the relevant parameters of newlines.

6 months

[2.2.0] Checkmk Werk 16224 created: CSRF in user-message deletion

by Checkmk security werks

Title: CSRF in user-message deletion Class: security Compatible: compat Component: wato Date: 1700648297 Edition: cre Level: 1 Version: 2.2.0p15 In Checkmk you can message other users via Send user message. Prior to this Werk an authenticated attacker who receives such a user-message could craft a link with the generated message uuid to delete the message. This link was prone to CSRF and when another user was tricked into opening this link the message was deleted possibly before the user could read it. LI: This vulnerability was identified through a commissioned penetration test conducted by Port Zero. Affected Versions: * 2.2.0 * 2.1.0 * 2.0.0 Vulnerability Management: We have rated the issue with a CVSS Score of 3.5 (Low) with the following CVSS vector: <tt>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N</tt>. We assigned CVE-2023-6251 to this vulnerability. Changes: This Werk adds CSRF token validation to this endpoint.

6 months

[2.2.0] Checkmk Werk 16221 created: Livestatus Injections

by Checkmk security werks

Title: Livestatus Injections Class: security Compatible: compat Component: wato Date: 1700066363 Edition: cre Level: 1 Version: 2.2.0p15 Prior to this Werk it was possible to inject arbitrary livestatus commands to the core via the WebUI. We found this vulnerability internally. Affected Versions: * 2.2.0 * 2.1.0 * 2.0.0 Vulnerability Management: We have rated the issue with a CVSS Score of 7.6 (High) with the following CVSS vector: <tt>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H</tt>. We assigned CVE-2023-6156 and CVE-2023-6157 to these vulnerabilities. Changes: This Werk strips the relevant parameters of newlines.

6 months

[2.3.0] Checkmk Werk 16224 created: CSRF in user-message deletion

by Checkmk security werks

Title: CSRF in user-message deletion Class: security Compatible: compat Component: wato Date: 1700648297 Edition: cre Level: 1 Version: 2.3.0b1 In Checkmk you can message other users via *Send user message*. Prior to this Werk an authenticated attacker who receives such a user-message could craft a link with the generated message uuid to delete the message. This link was prone to CSRF and when another user was tricked into opening this link the message was deleted possibly before the user could read it. * This vulnerability was identified through a commissioned penetration test conducted by Port Zero. Affected Versions: LI: 2.2.0 LI: 2.1.0 LI: 2.0.0 Vulnerability Management: We have rated the issue with a CVSS Score of 3.5 (Low) with the following CVSS vector: <tt>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N</tt>. We assigned CVE-2023-6251 to this vulnerability. Changes: This Werk adds CSRF token validation to this endpoint.

6 months

[2.3.0] Checkmk Werk 16221 created: Livestatus Injections

by Checkmk security werks

Title: Livestatus Injections Class: security Compatible: compat Component: wato Date: 1700066363 Edition: cre Level: 1 Version: 2.3.0b1 Prior to this Werk it was possible to inject arbitrary livestatus commands to the core via the WebUI. We found this vulnerability internally. Affected Versions: LI: 2.2.0 LI: 2.1.0 LI: 2.0.0 Vulnerability Management: We have rated the issue with a CVSS Score of 7.6 (High) with the following CVSS vector: <tt>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H</tt>. We assigned CVE-2023-6156 and CVE-2023-6157 to these vulnerabilities. Changes: This Werk strips the relevant parameters of newlines.

6 months

[2.1.0] Checkmk Werk 15195 created: Protect automation user secret against timing attacks

by Checkmk security werks

Title: Protect automation user secret against timing attacks Class: security Compatible: compat Component: wato Date: 1700216645 Edition: cre Knowledge: undoc Level: 1 State: unknown Version: 2.1.0p37 This Werks improves how the secret of an automation user is validated during login. Prior to the Werk, the automation user's password was not checked in a way that is safe against (theoretical) timing attacks. This is fixed now. Even though this Werk improves security, it does not address an exploitable vulnerability. To aid automated scanning we assign a CVSS score of 0.0 (None) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N).

6 months

[2.2.0] Checkmk Werk 15195 created: Protect automation user secret against timing attacks

by Checkmk security werks

Title: Protect automation user secret against timing attacks Class: security Compatible: compat Component: wato Date: 1700216645 Edition: cre Knowledge: undoc Level: 1 State: unknown Version: 2.2.0p15 This Werks improves how the secret of an automation user is validated during login. Prior to the Werk, the automation user's password was not checked in a way that is safe against (theoretical) timing attacks. This is fixed now. Even though this Werk improves security, it does not address an exploitable vulnerability. To aid automated scanning we assign a CVSS score of 0.0 (None) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N).

6 months

[2.3.0] Checkmk Werk 15195 created: Protect automation user secret against timing attacks

by Checkmk security werks

Title: Protect automation user secret against timing attacks Class: security Compatible: compat Component: wato Date: 1700216645 Edition: cre Level: 1 Version: 2.3.0b1 This Werks improves how the secret of an automation user is validated during login. Prior to the Werk, the automation user's password was not checked in a way that is safe against (theoretical) timing attacks. This is fixed now. Even though this Werk improves security, it does not address an exploitable vulnerability. To aid automated scanning we assign a CVSS score of 0.0 (None) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N).

6 months

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

Checkmk werks security November 2023