Checkmk werks security March 2024

checkmk-werks-sec@lists.checkmk.com

1 participants
12 discussions

[2.1.0] Checkmk Werk 16234 adapted: Hide credentials in ps output for mk_oracle

by Checkmk security werks

Werk 16234 was adapted. The following is the new Werk, a diff is shown at the end of the message. Title: Hide credentials in ps output for mk_oracle Class: security Compatible: compat Component: checks Date: 1708454375 Edition: cre Level: 1 Version: 2.1.0p41 In the mk_oracle plugin <tt>sqlplus</tt> used to be called with the connection string as an argument. This connection string could contain credentials necessary to authenticate against the database. These arguments could be extracted by other users (e.g. with use of <tt>ps</tt>). This vulnerability was reported to us, we are not aware of any exploitations. <b>Affected Versions:</b> 2.3.0 (beta) 2.2.0 2.1.0 2.0.0 (probably older versions as well) <b>Vulnerability Management:</b> We have rated the issue with a CVSS Score of 3.8 (Low) with the following CVSS vector: <tt>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N</tt>. We assigned CVE-2024-1742 to this vulnerability. <b>Changes:</b> With this Werk the connection string is now piped via stdin to <tt>sqlplus</tt>. ------------------------------------<diff>------------------------------------------- Title: Hide credentials in ps output for mk_oracle Class: security Compatible: compat Component: checks Date: 1708454375 Edition: cre Level: 1 - Version: 2.2.0p24 ? ^ - + Version: 2.1.0p41 ? ^ + In the mk_oracle plugin <tt>sqlplus</tt> used to be called with the connection string as an argument. This connection string could contain credentials necessary to authenticate against the database. These arguments could be extracted by other users (e.g. with use of <tt>ps</tt>). This vulnerability was reported to us, we are not aware of any exploitations. <b>Affected Versions:</b> + 2.3.0 (beta) 2.2.0 2.1.0 2.0.0 (probably older versions as well) <b>Vulnerability Management:</b> We have rated the issue with a CVSS Score of 3.8 (Low) with the following CVSS vector: <tt>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N</tt>. We assigned CVE-2024-1742 to this vulnerability. <b>Changes:</b> With this Werk the connection string is now piped via stdin to <tt>sqlplus</tt>.

2 months

[2.1.0] Checkmk Werk 16198 created: mk_informix: Do not allow privilege escalation

by Checkmk security werks

Title: mk_informix: Do not allow privilege escalation Class: security Compatible: compat Component: checks Date: 1709909870 Edition: cre Level: 1 Version: 2.1.0p41 The informix database monitoring plugin would previously <code>eval</code> statements parsed from <code>$INFORMIXDIR/bin/onstat</code>. Since the plugin is usually run as root, this could cause statements injected in <code>$INFORMIXDIR/bin/onstat</code> to be run as root as well. By adding scripts named the same as other functionality found in <code>$PATH</code> to <code>$INFORMIXDIR/bin</code>, <code>$PATH</code> functionality could also be overshadowed and the custom executed as root. Finally, <code>$INFORMIXDIR/bin/onstat</code> would be executed as root, allowing a substituted script to be run with elevated privileges. With this werk, the environment variables will be exported instead and <code>$PATH</code> will now be searched before <code>$INFORMIXDIR/bin</code>. The plugin will now also check if <code>$INFORMIXDIR/bin/onstat</code> belongs to root if the plugin is executed as root. If not, it will be executed as the user owning the executable. This issue was found during internal review. <em>Affected Versions</em>: LI: 2.3.0 (beta) LI: 2.2.0 LI: 2.1.0 LI: 2.0.0 (EOL) <em>Vulnerability Management</em>: We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector: <code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</code> and assigned CVE <code>CVE-2024-28824</code>.

2 months

[2.2.0] Checkmk Werk 16234 created: Hide credentials in ps output for mk_oracle

by Checkmk security werks

Title: Hide credentials in ps output for mk_oracle Class: security Compatible: compat Component: checks Date: 1708454375 Edition: cre Level: 1 Version: 2.2.0p24 In the mk_oracle plugin <tt>sqlplus</tt> used to be called with the connection string as an argument. This connection string could contain credentials necessary to authenticate against the database. These arguments could be extracted by other users (e.g. with use of <tt>ps</tt>). This vulnerability was reported to us, we are not aware of any exploitations. <b>Affected Versions:</b> 2.2.0 2.1.0 2.0.0 (probably older versions as well) <b>Vulnerability Management:</b> We have rated the issue with a CVSS Score of 3.8 (Low) with the following CVSS vector: <tt>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N</tt>. We assigned CVE-2024-1742 to this vulnerability. <b>Changes:</b> With this Werk the connection string is now piped via stdin to <tt>sqlplus</tt>.

2 months

[2.1.0] Checkmk Werk 16232 created: mk_oracle(ps1): Prevent privilege esclation to root

by Checkmk security werks

Title: mk_oracle(ps1): Prevent privilege esclation to root Class: security Compatible: compat Component: checks Date: 1705479643 Edition: cre Level: 3 Version: 2.1.0p41 The agent plugins mk_oracle, mk_oracle.ps1 and mk_oracle_crs were vulnerable to privilege escalation to root by the oracle user. A malicious oracle user could replace a binary (e.g. sqlplus) with another script and put it in the corresponding directory. The script would be executed by the root user. All binaries, which are called by the plugins, are now checked if they need to be executed as a non-root (non-administrator under Windows) user, preventing the privilege escalation. Affected binaries are: sqlplus, tnsping, crsctl. <h3>Affected Versions</h3> LI: 2.3.0 (beta) LI: 2.2.0 LI: 2.1.0 LI: 2.0.0 (EOL) and older <h3>Mitigations</h3> If updating is not possible, disable the mk_oracle plugin. <h3>Vulnerability Management</h3> We have rated the issue with a CVSS score of 8.2 (High) with the following CVSS vector: <code>CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H</code> We have assigned <code>CVE-2024-0638</code>. <h3>Changes</h3> All called binaries are now executed in a safe way.

2 months

[2.2.0] Checkmk Werk 16362 adapted: Update Python version for Windows agent

by Checkmk security werks

Werk 16362 was adapted. The following is the new Werk, a diff is shown at the end of the message. Title: Update Python version for Windows agent Class: security Compatible: compat Component: checks Date: 1709283564 Edition: cee Level: 1 Version: 2.2.0p25 When agent plugins are configured for a windows agent the baked package for windows contains a Python version. This version is updated from 3.11.7 to 3.11.8. This contains an update from openssl 3.0.11 to 3.0.13 and a fix for: * CVE-2024-0727 * CVE-2023-6237 * CVE-2023-6129 * CVE-2023-5678 * CVE-2023-5363 To our knowledge none of these vulnerabilities were exploitable in this setup. We rate this with a CVSS of 0 (None) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N). This CVSS is primarily meant to please automatic scanners. ------------------------------------<diff>------------------------------------------- Title: Update Python version for Windows agent Class: security Compatible: compat Component: checks Date: 1709283564 Edition: cee Level: 1 - Version: 2.2.0p24 ? ^ + Version: 2.2.0p25 ? ^ When agent plugins are configured for a windows agent the baked package for windows contains a Python version. This version is updated from 3.11.7 to 3.11.8. This contains an update from openssl 3.0.11 to 3.0.13 and a fix for: * CVE-2024-0727 * CVE-2023-6237 * CVE-2023-6129 * CVE-2023-5678 * CVE-2023-5363 To our knowledge none of these vulnerabilities were exploitable in this setup. We rate this with a CVSS of 0 (None) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N). This CVSS is primarily meant to please automatic scanners.

2 months

[2.2.0] Checkmk Werk 16198 created: mk_informix: Do not allow privilege escalation

by Checkmk security werks

Title: mk_informix: Do not allow privilege escalation Class: security Compatible: compat Component: checks Date: 1709909870 Edition: cre Level: 1 Version: 2.2.0p24 The informix database monitoring plugin would previously <code>eval</code> statements parsed from <code>$INFORMIXDIR/bin/onstat</code>. Since the plugin is usually run as root, this could cause statements injected in <code>$INFORMIXDIR/bin/onstat</code> to be run as root as well. By adding scripts named the same as other functionality found in <code>$PATH</code> to <code>$INFORMIXDIR/bin</code>, <code>$PATH</code> functionality could also be overshadowed and the custom executed as root. Finally, <code>$INFORMIXDIR/bin/onstat</code> would be executed as root, allowing a substituted script to be run with elevated privileges. With this werk, the environment variables will be exported instead and <code>$PATH</code> will now be searched before <code>$INFORMIXDIR/bin</code>. The plugin will now also check if <code>$INFORMIXDIR/bin/onstat</code> belongs to root if the plugin is executed as root. If not, it will be executed as the user owning the executable. This issue was found during internal review. <em>Affected Versions</em>: LI: 2.3.0 (beta) LI: 2.2.0 LI: 2.1.0 LI: 2.0.0 (EOL) <em>Vulnerability Management</em>: We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector: <code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</code> and assigned CVE <code>CVE-2024-28824</code>.

2 months

[2.2.0] Checkmk Werk 16234 created: Hide credentials in ps output for mk_oracle

by Checkmk security werks

2 months

[2.2.0] Checkmk Werk 16232 created: mk_oracle(ps1): Prevent privilege esclation to root

by Checkmk security werks

Title: mk_oracle(ps1): Prevent privilege esclation to root Class: security Compatible: compat Component: checks Date: 1705479643 Edition: cre Level: 3 Version: 2.2.0p24 The agent plugins mk_oracle, mk_oracle.ps1 and mk_oracle_crs were vulnerable to privilege escalation to root by the oracle user. A malicious oracle user could replace a binary (e.g. sqlplus) with another script and put it in the corresponding directory. The script would be executed by the root user. All binaries, which are called by the plugins, are now checked if they need to be executed as a non-root (non-administrator under Windows) user, preventing the privilege escalation. Affected binaries are: sqlplus, tnsping, crsctl. <h3>Affected Versions</h3> LI: 2.3.0 (beta) LI: 2.2.0 LI: 2.1.0 LI: 2.0.0 (EOL) and older <h3>Mitigations</h3> If updating is not possible, disable the mk_oracle plugin. <h3>Vulnerability Management</h3> We have rated the issue with a CVSS score of 8.2 (High) with the following CVSS vector: <code>CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H</code> We have assigned <code>CVE-2024-0638</code>. <h3>Changes</h3> All called binaries are now executed in a safe way.

2 months

[2.4.0] Checkmk Werk 16234 created: Hide credentials in ps output for mk_oracle

by Checkmk security werks

[//]: # (werk v2) # Hide credentials in ps output for mk_oracle key | value ---------- | --- compatible | yes version | 2.4.0b1 date | 2024-02-20T18:39:35+00:00 level | 1 class | security component | checks edition | cre In the mk_oracle plugin <tt>sqlplus</tt> used to be called with the connection string as an argument. This connection string could contain credentials necessary to authenticate against the database. These arguments could be extracted by other users (e.g. with use of <tt>ps</tt>). This vulnerability was reported to us, we are not aware of any exploitations. <b>Affected Versions:</b> 2.2.0 2.1.0 2.0.0 (probably older versions as well) <b>Vulnerability Management:</b> We have rated the issue with a CVSS Score of 3.8 (Low) with the following CVSS vector: <tt>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N</tt>. We assigned CVE-2024-1742 to this vulnerability. <b>Changes:</b> With this Werk the connection string is now piped via stdin to <tt>sqlplus</tt>.

2 months

[2.4.0] Checkmk Werk 16232 created: mk_oracle(ps1): Prevent privilege esclation to root

by Checkmk security werks

[//]: # (werk v2) # mk_oracle(ps1): Prevent privilege esclation to root key | value ---------- | --- compatible | yes version | 2.4.0b1 date | 2024-01-17T08:20:43+00:00 level | 3 class | security component | checks edition | cre The agent plugins mk_oracle, mk_oracle.ps1 and mk_oracle_crs were vulnerable to privilege escalation to root by the oracle user. A malicious oracle user could replace a binary (e.g. sqlplus) with another script and put it in the corresponding directory. The script would be executed by the root user. All binaries, which are called by the plugins, are now checked if they need to be executed as a non-root (non-administrator under Windows) user, preventing the privilege escalation. Affected binaries are: sqlplus, tnsping, crsctl. <h3>Affected Versions</h3> * 2.3.0 (beta) * 2.2.0 * 2.1.0 * 2.0.0 (EOL) and older <h3>Mitigations</h3> If updating is not possible, disable the mk_oracle plugin. <h3>Vulnerability Management</h3> We have rated the issue with a CVSS score of 8.2 (High) with the following CVSS vector: <code>CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H</code> We have assigned <code>CVE-2024-0638</code>. <h3>Changes</h3> All called binaries are now executed in a safe way.

2 months

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

Checkmk werks security March 2024