Title: symantec_av: Don't run sav command if it isn't owned by root
Class: security
Compatible: compat
Component: checks
Date: 1709110689
Edition: cre
Level: 1
Version: 2.2.0p24
Symantec Anti Virus plugin uses /opt/Symantec/symantec_antivirus/sav command
to monitor a Symantec Anti Virus installation.
To prevent privilege escalation, the plugin (which is run by root user) must
not run executables which can be changed by less privileged users.
In the default installation, sav command is owned by root and root is the only
user with write permissions, which prevents privilege escalation attacks.
With this Werk, the plugin checks if sav command is owned by root and root
is the only user with write permissions before running the command. If that's not
the case the command won't be run. This prevents privilege escalation attacks if
the permissions of the sav command have been changed.
We rate this with a CVSS of 0 (None) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N).
This CVSS is primarily meant to please automatic scanners.
CMK-15318
Title: kaspersky_av: Don't run kav4fs-control or kesl-control if they aren't owned by root
Class: security
Compatible: compat
Component: checks
Date: 1709025290
Edition: cre
Level: 1
Version: 2.2.0p24
Kaspersky Anti-Virus plugin uses /opt/kaspersky/kav4fs/bin/kav4fs-control and
/opt/kaspersky/kesl/bin/kesl-control commands to monitor a Kaspersky Anti-Virus
installation.
To prevent privilege escalation, the plugin (which is run by root user) must
not run executables which can be changed by less privileged users.
In the default installation, kav4fs-control and kesl-control commands are owned
by root and root is the only user with write permissions, which prevents privilege
escalation attacks.
With this Werk, the plugin checks if control commands are owned by root and root
is the only user with write permissions before running the command. If that's not
the case the commands won't be run. This prevents privilege escalation attacks if
the permissions of the control commands have been changed.
We rate this with a CVSS of 0 (None) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N).
This CVSS is primarily meant to please automatic scanners.
[//]: # (werk v2)
# symantec_av: Don't run sav command if it isn't owned by root
key | value
---------- | ---
date | 2024-02-28T08:58:09+00:00
version | 2.4.0b1
class | security
edition | cre
component | checks
level | 1
compatible | yes
Symantec Anti Virus plugin uses /opt/Symantec/symantec_antivirus/sav command
to monitor a Symantec Anti Virus installation.
To prevent privilege escalation, the plugin (which is run by root user) must
not run executables which can be changed by less privileged users.
In the default installation, sav command is owned by root and root is the only
user with write permissions, which prevents privilege escalation attacks.
With this Werk, the plugin checks if sav command is owned by root and root
is the only user with write permissions before running the command. If that's not
the case the command won't be run. This prevents privilege escalation attacks if
the permissions of the sav command have been changed.
We rate this with a CVSS of 0 (None) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N).
This CVSS is primarily meant to please automatic scanners.
CMK-15318
Title: Privilege escalation in Windows agent
Class: security
Compatible: compat
Component: checks
Date: 1708958658
Edition: cre
Level: 1
Version: 2.1.0p40
In order to execute some system commands Checkmk Windows agent writes cmd files to <code>C:\Windows\Temp\</code> and afterwards executes them.
The permissions of the files were set restrictive but existing files were not properly handled.
If a cmd file already existed and was write protected the agent was not able to rewrite the file but did not handle this case and executed the file nevertheless.
We thank Michael Baer (SEC Consult Vulnerability Lab) for reporting this issue.
<strong>Affected Versions</strong>:
* 2.2.0
* 2.1.0
* 2.0.0
<strong>Indicators of Compromise</strong>:
The filename of the cmd file needed to be guessed therefore the proof-of-concept creates a lot of files in <code>C\Windows\Temp</code> with the filename <code>cmk_all_\d+_1.cmd</code>.
These file-creation events could be monitored.
<strong>Vulnerability Management</strong>:
We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector:
<code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</code>.
We assigned CVE-2024-0670 to this vulnerability.
<strong>Changes</strong>:
This Werk changes the temp folder and adds a subfolder with more restrictive permissions in which the files are created.
Also errors are handled better.
Title: Privilege escalation in Windows agent
Class: security
Compatible: compat
Component: checks
Date: 1708958658
Edition: cre
Level: 1
Version: 2.2.0p23
In order to execute some system commands Checkmk Windows agent writes cmd files to `C:\Windows\Temp\` and afterwards executes them.
The permissions of the files were set restrictive but existing files were not properly handled.
If a cmd file already existed and was write protected the agent was not able to rewrite the file but did not handle this case and executed the file nevertheless.
We thank Michael Baer (SEC Consult Vulnerability Lab) for reporting this issue.
**Affected Versions**:
* 2.2.0
* 2.1.0
* 2.0.0
**Indicators of Compromise**:
The filename of the cmd file needed to be guessed therefore the proof-of-concept creates a lot of files in `C\Windows\Temp` with the filename `cmk_all_\d+_1.cmd`.
These file-creation events could be monitored.
**Vulnerability Management**:
We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector:
`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H`.
We assigned CVE-2024-0670 to this vulnerability.
**Changes**:
This Werk changes the temp folder and adds a subfolder with more restrictive permissions in which the files are created.
Also errors are handled better.
[//]: # (werk v2)
# kaspersky_av: Don't run kav4fs-control or kesl-control if they aren't owned by root
key | value
---------- | ---
date | 2024-02-27T09:14:50+00:00
version | 2.4.0b1
class | security
edition | cre
component | checks
level | 1
compatible | yes
Kaspersky Anti-Virus plugin uses /opt/kaspersky/kav4fs/bin/kav4fs-control and
/opt/kaspersky/kesl/bin/kesl-control commands to monitor a Kaspersky Anti-Virus
installation.
To prevent privilege escalation, the plugin (which is run by root user) must
not run executables which can be changed by less privileged users.
In the default installation, kav4fs-control and kesl-control commands are owned
by root and root is the only user with write permissions, which prevents privilege
escalation attacks.
With this Werk, the plugin checks if control commands are owned by root and root
is the only user with write permissions before running the command. If that's not
the case the commands won't be run. This prevents privilege escalation attacks if
the permissions of the control commands have been changed.
We rate this with a CVSS of 0 (None) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N).
This CVSS is primarily meant to please automatic scanners.
[//]: # (werk v2)
# Privilege escalation in Windows agent
key | value
---------- | ---
compatible | yes
version | 2.4.0b1
date | 2024-02-26T14:44:18+00:00
level | 1
class | security
component | checks
edition | cre
In order to execute some system commands Checkmk Windows agent writes cmd files to `C:\Windows\Temp\` and afterwards executes them.
The permissions of the files were set restrictive but existing files were not properly handled.
If a cmd file already existed and was write protected the agent was not able to rewrite the file but did not handle this case and executed the file nevertheless.
We thank Michael Baer (SEC Consult Vulnerability Lab) for reporting this issue.
**Affected Versions**:
* 2.2.0
* 2.1.0
* 2.0.0
**Indicators of Compromise**:
The filename of the cmd file needed to be guessed therefore the proof-of-concept creates a lot of files in `C\Windows\Temp` with the filename `cmk_all_\d+_1.cmd`.
These file-creation events could be monitored.
**Vulnerability Management**:
We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector:
`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H`.
We assigned CVE-2024-0670 to this vulnerability.
**Changes**:
This Werk changes the temp folder and adds a subfolder with more restrictive permissions in which the files are created.
Also errors are handled better.