Checkmk werks security January 2024

checkmk-werks-sec@lists.checkmk.com

1 participants
9 discussions

[2.1.0] Checkmk Werk 16227 created: Disabled automation users could still authenticate

by Checkmk security werks

Title: Disabled automation users could still authenticate Class: security Compatible: incomp Component: wato Date: 1702309789 Edition: cre Level: 1 Version: 2.1.0p38 Prior to this Werk an automation user whose password was disabled also described as "disable the login to this account" was still able to authenticate. The information that a user was disabled was not checked for automation users. We found this vulnerability internally. <b>Affected Versions</b>: * 2.2.0 * 2.1.0 * 2.0.0 * 1.6.0 * 1.5.0 (probably older versions as well) <b>Mitigations</b>: If the need arises to block an automation user one can change the password or remove that user from the system. <b>Vulnerability Management</b>: We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector: <tt>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H</tt>. We assigned CVE-2023-31211 to this vulnerability. <b>Changes</b>: This Werk adds a check for the disabled information. During update you will be warned if a automation user is currently disabled.

4 months, 1 week

[2.1.0] Checkmk Werk 16273 created: Local privilege escalation in agent plugin 'mk_tsm'

by Checkmk security werks

Title: Local privilege escalation in agent plugin 'mk_tsm' Class: security Compatible: incomp Component: checks Date: 1702411459 Edition: cre Level: 1 Version: 2.1.0p38 By crafting a malicious command that then shows up in the output of <code>ps</code> users of monitored hosts could gain root privileges. This was achieved by exploiting the insufficient quoting when using ksh's <code>eval</code> to create the required environment. This issue was found during internal review. <h3>Affected Versions</h3> LI: 2.2.0 LI: 2.1.0 LI: 2.0.0 (EOL) and older <h3>Mitigations</h3> If updating is not possible, disable the Tivoli Storage Manager plugin. <h3>Vulnerability Management</h3> We have rated the issue with a CVSS score of 8.8 (High) with the following CVSS vector: <code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</code> We have assigned <code>CVE-2023-6735</code>. <h3>Changes</h3> With this change we no longer use <code>eval</code> and fixe the quoting. This prevents variable exports being missinterpreted as commands to execute.

4 months, 1 week

[2.1.0] Checkmk Werk 16163 created: jar_signature: Prevent privilege escalation to root

by Checkmk security werks

Title: jar_signature: Prevent privilege escalation to root Class: security Compatible: incomp Component: checks Date: 1702395666 Edition: cre Level: 3 Version: 2.1.0p38 jar_signature agent plugin (configured by the 'Signatures of certificates in JAR files' bakery rule) was vulnerable to privilege escalation to root by the oracle user. A malicious oracle user could replace the jarsigner binary with another script and put it in the JAVA_HOME directory. The script would be executed by the root user. The jarsigner is now executed by the oracle user, preventing the privilege escalation. This werk is incompatible for users that use the jar_signature plugin. Too avoid risk, users should deploy the new version of the plugin or disable it. This issue was found during internal review. <h3>Affected Versions</h3> LI: 2.2.0 LI: 2.1.0 LI: 2.0.0 (EOL) and older <h3>Mitigations</h3> If updating is not possible, disable the jar_signature plugin. <h3>Vulnerability Management</h3> We have rated the issue with a CVSS score of 8.8 (High) with the following CVSS vector: <code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</code> We have assigned <code>CVE-2023-6740</code>. <h3>Changes</h3> The jarsigner binary is now executed by the oracle user.

4 months, 1 week

[2.2.0] Checkmk Werk 16273 created: Local privilege escalation in agent plugin 'mk_tsm'

by Checkmk security werks

Title: Local privilege escalation in agent plugin 'mk_tsm' Class: security Compatible: incomp Component: checks Date: 1702411459 Edition: cre Level: 1 Version: 2.2.0p18 By crafting a malicious command that then shows up in the output of <code>ps</code> users of monitored hosts could gain root privileges. This was achieved by exploiting the insufficient quoting when using ksh's <code>eval</code> to create the required environment. This issue was found during internal review. <h3>Affected Versions</h3> LI: 2.2.0 LI: 2.1.0 LI: 2.0.0 (EOL) and older <h3>Mitigations</h3> If updating is not possible, disable the Tivoli Storage Manager plugin. <h3>Vulnerability Management</h3> We have rated the issue with a CVSS score of 8.8 (High) with the following CVSS vector: <code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</code> We have assigned <code>CVE-2023-6735</code>. <h3>Changes</h3> With this change we no longer use <code>eval</code> and fixe the quoting. This prevents variable exports being missinterpreted as commands to execute.

4 months, 1 week

[2.2.0] Checkmk Werk 16227 created: Disabled automation users could still authenticate

by Checkmk security werks

Title: Disabled automation users could still authenticate Class: security Compatible: incomp Component: wato Date: 1702309789 Edition: cre Level: 1 Version: 2.2.0p18 Prior to this Werk an automation user whose password was disabled also described as "disable the login to this account" was still able to authenticate. The information that a user was disabled was not checked for automation users. We found this vulnerability internally. <b>Affected Versions</b>: * 2.2.0 * 2.1.0 * 2.0.0 * 1.6.0 * 1.5.0 (probably older versions as well) <b>Mitigations</b>: If the need arises to block an automation user one can change the password or remove that user from the system. <b>Vulnerability Management</b>: We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector: <tt>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H</tt>. We assigned CVE-2023-31211 to this vulnerability. <b>Changes</b>: This Werk adds a check for the disabled information. During update you will be warned if a automation user is currently disabled.

4 months, 1 week

[2.2.0] Checkmk Werk 16163 created: jar_signature: Prevent privilege escalation to root

by Checkmk security werks

Title: jar_signature: Prevent privilege escalation to root Class: security Compatible: incomp Component: checks Date: 1702395666 Edition: cre Level: 3 Version: 2.2.0p18 jar_signature agent plugin (configured by the 'Signatures of certificates in JAR files' bakery rule) was vulnerable to privilege escalation to root by the oracle user. A malicious oracle user could replace the jarsigner binary with another script and put it in the JAVA_HOME directory. The script would be executed by the root user. The jarsigner is now executed by the oracle user, preventing the privilege escalation. This werk is incompatible for users that use the jar_signature plugin. Too avoid risk, users should deploy the new version of the plugin or disable it. This issue was found during internal review. <h3>Affected Versions</h3> LI: 2.2.0 LI: 2.1.0 LI: 2.0.0 (EOL) and older <h3>Mitigations</h3> If updating is not possible, disable the jar_signature plugin. <h3>Vulnerability Management</h3> We have rated the issue with a CVSS score of 8.8 (High) with the following CVSS vector: <code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</code> We have assigned <code>CVE-2023-6740</code>. <h3>Changes</h3> The jarsigner binary is now executed by the oracle user.

4 months, 1 week

[2.3.0] Checkmk Werk 16227 created: Disabled automation users could still authenticate

by Checkmk security werks

Title: Disabled automation users could still authenticate Class: security Compatible: incomp Component: wato Date: 1702309789 Edition: cre Level: 1 Version: 2.3.0b1 Prior to this Werk an automation user whose password was disabled also described as "disable the login to this account" was still able to authenticate. The information that a user was disabled was not checked for automation users. We found this vulnerability internally. <b>Affected Versions</b>: LI: 2.2.0 LI: 2.1.0 LI: 2.0.0 LI: 1.6.0 LI: 1.5.0 (probably older versions as well) <b>Mitigations</b>: If the need arises to block an automation user one can change the password or remove that user from the system. <b>Vulnerability Management</b>: We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector: <tt>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H</tt>. We assigned CVE-2023-31211 to this vulnerability. <b>Changes</b>: This Werk adds a check for the disabled information. During update you will be warned if a automation user is currently disabled.

4 months, 1 week

[2.3.0] Checkmk Werk 16273 created: Local privilege escalation in agent plugin 'mk_tsm'

by Checkmk security werks

Title: Local privilege escalation in agent plugin 'mk_tsm' Class: security Compatible: incomp Component: checks Date: 1702411459 Edition: cre Level: 1 Version: 2.3.0b1 By crafting a malicious command that then shows up in the output of `ps` users of monitored hosts could gain root privileges. This was achieved by exploiting the insufficient quoting when using ksh's `eval` to create the required environment. This issue was found during internal review. ### Affected Versions * 2.2.0 * 2.1.0 * 2.0.0 (EOL) and older ### Mitigations If updating is not possible, disable the Tivoli Storage Manager plugin. ### Vulnerability Management We have rated the issue with a CVSS score of 8.8 (High) with the following CVSS vector: `CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H` We have assigned `CVE-2023-6735`. ### Changes With this change we no longer use `eval` and fixe the quoting. This prevents variable exports being missinterpreted as commands to execute.

4 months, 1 week

[2.3.0] Checkmk Werk 16163 created: jar_signature: Prevent privilege escalation to root

by Checkmk security werks

Title: jar_signature: Prevent privilege escalation to root Class: security Compatible: incomp Component: checks Date: 1702395666 Edition: cre Level: 3 Version: 2.3.0b1 jar_signature agent plugin (configured by the 'Signatures of certificates in JAR files' bakery rule) was vulnerable to privilege escalation to root by the oracle user. A malicious oracle user could replace the jarsigner binary with another script and put it in the JAVA_HOME directory. The script would be executed by the root user. The jarsigner is now executed by the oracle user, preventing the privilege escalation. This werk is incompatible for users that use the jar_signature plugin. Too avoid risk, users should deploy the new version of the plugin or disable it. This issue was found during internal review. ### Affected Versions * 2.2.0 * 2.1.0 * 2.0.0 (EOL) and older ### Mitigations If updating is not possible, disable the jar_signature plugin. ### Vulnerability Management We have rated the issue with a CVSS score of 8.8 (High) with the following CVSS vector: `CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H` We have assigned `CVE-2023-6740`. ### Changes The jarsigner binary is now executed by the oracle user.

4 months, 1 week

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

Checkmk werks security January 2024