Checkmk werks security April 2024

checkmk-werks-sec@lists.checkmk.com

1 participants
11 discussions

[2.1.0] Checkmk Werk 15198 adapted: Brute-force protection ineffective for some login methods

by Checkmk security werks

Werk 15198 was adapted. The following is the new Werk, a diff is shown at the end of the message. Title: Brute-force protection ineffective for some login methods Class: security Compatible: compat Component: wato Date: 1712665452 Edition: cre Level: 1 Version: 2.1.0p43 Prior to this Werk, the mechanism to lock user accounts after too many failed login attempts was only effective for the web form login method. Login attempts via the REST API and basic authentication did not count towards the lockout mechanism. As a result, an attacker could try to brute-force user passwords without triggering the lockout mechanism. This Werk adds the same locking mechanism to login via the REST API and basic authentication for human user accounts. Note that automation accounts are remain unaffected by the lockout mechanism to avoid having them locked by malicious intent. It is therefore important to use long, random automation secrets. This issue was found during internal review. Affected Versions: LI: 2.3.0 (beta) LI: 2.2.0 LI: 2.1.0 LI: 2.0.0 (EOL) Mitigations: If updating is not possible, the brute-force attempts can be hindered by using a strong password policy. Vulnerability Management: We have rated the issue with a CVSS Score of 5.9 (Medium) with the following CVSS vector: <code>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N</code> and assigned CVE <code>CVE-2024-28825</code>. ------------------------------------<diff>------------------------------------------- Title: Brute-force protection ineffective for some login methods Class: security Compatible: compat Component: wato Date: 1712665452 Edition: cre Level: 1 - Version: 2.1.0p42 ? ^ + Version: 2.1.0p43 ? ^ Prior to this Werk, the mechanism to lock user accounts after too many failed login attempts was only effective for the web form login method. Login attempts via the REST API and basic authentication did not count towards the lockout mechanism. As a result, an attacker could try to brute-force user passwords without triggering the lockout mechanism. This Werk adds the same locking mechanism to login via the REST API and basic authentication for human user accounts. Note that automation accounts are remain unaffected by the lockout mechanism to avoid having them locked by malicious intent. It is therefore important to use long, random automation secrets. This issue was found during internal review. Affected Versions: LI: 2.3.0 (beta) LI: 2.2.0 LI: 2.1.0 LI: 2.0.0 (EOL) Mitigations: If updating is not possible, the brute-force attempts can be hindered by using a strong password policy. Vulnerability Management: We have rated the issue with a CVSS Score of 5.9 (Medium) with the following CVSS vector: <code>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N</code> and assigned CVE <code>CVE-2024-28825</code>.

4 weeks

[2.2.0] Checkmk Werk 16362 adapted: Update Python version for Windows agent

by Checkmk security werks

Werk 16362 was adapted. The following is the new Werk, a diff is shown at the end of the message. Title: Update Python version for Windows agent Class: security Compatible: compat Component: checks Date: 1709283564 Edition: cee Level: 1 Version: 2.2.0p26 When agent plugins are configured for a windows agent the baked package for windows contains a Python version. This version is updated from 3.11.7 to 3.11.8. This contains an update from openssl 3.0.11 to 3.0.13 and a fix for: * CVE-2024-0727 * CVE-2023-6237 * CVE-2023-6129 * CVE-2023-5678 * CVE-2023-5363 To our knowledge none of these vulnerabilities were exploitable in this setup. We rate this with a CVSS of 0 (None) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N). This CVSS is primarily meant to please automatic scanners. ------------------------------------<diff>------------------------------------------- Title: Update Python version for Windows agent Class: security Compatible: compat Component: checks Date: 1709283564 Edition: cee Level: 1 - Version: 2.2.0p25 ? ^ + Version: 2.2.0p26 ? ^ When agent plugins are configured for a windows agent the baked package for windows contains a Python version. This version is updated from 3.11.7 to 3.11.8. This contains an update from openssl 3.0.11 to 3.0.13 and a fix for: * CVE-2024-0727 * CVE-2023-6237 * CVE-2023-6129 * CVE-2023-5678 * CVE-2023-5363 To our knowledge none of these vulnerabilities were exploitable in this setup. We rate this with a CVSS of 0 (None) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N). This CVSS is primarily meant to please automatic scanners.

1 month

[2.2.0] Checkmk Werk 16615 adapted: Remove websphere_mq plugin

by Checkmk security werks

Werk 16615 was adapted. The following is the new Werk, a diff is shown at the end of the message. Title: Remove websphere_mq plugin Class: security Compatible: compat Component: checks Date: 1710155388 Edition: cre Level: 1 Version: 2.2.0p26 With this Werk the <code>websphere_mq</code> plugin is removed for security reasons. In this plugin the output of <code>ps</code> is used to determine an argument for <code>runmqsc</code>. This meant that anybody who can launch processes with an arbitrary command line could manipulate one argument to <code>runmqsc</code>. The plugin was already superseded by the agent plugin <code>ibm_mq</code> and deprecated with Werk <a href="https://checkmk.com/werk/10752">10752</a> and version 2.0.0. Since this plugin is already deprecated and it was not configurable via the agent bakery we assumed that this plugin is not frequently used. Therefore we decided to not fix the issue but to push the removal. We found this vulnerability internally. Affected versions: LI: 2.3.0 LI: 2.2.0 LI: 2.1.0 LI: 2.0.0 Mitigations: Migrate to the <code>ibm_mq</code> plugin. Vulnerability Management: We have rated the issue with a CVSS Score of 6.5 (Medium) with the following CVSS vector: <code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N</code>. We assigned CVE-2024-3367 to this vulnerability. Changes: The plugin was removed. ------------------------------------<diff>------------------------------------------- Title: Remove websphere_mq plugin Class: security Compatible: compat Component: checks Date: 1710155388 Edition: cre Level: 1 - Version: 2.2.0p25 ? ^ + Version: 2.2.0p26 ? ^ With this Werk the <code>websphere_mq</code> plugin is removed for security reasons. In this plugin the output of <code>ps</code> is used to determine an argument for <code>runmqsc</code>. This meant that anybody who can launch processes with an arbitrary command line could manipulate one argument to <code>runmqsc</code>. The plugin was already superseded by the agent plugin <code>ibm_mq</code> and deprecated with Werk <a href="https://checkmk.com/werk/10752">10752</a> and version 2.0.0. Since this plugin is already deprecated and it was not configurable via the agent bakery we assumed that this plugin is not frequently used. Therefore we decided to not fix the issue but to push the removal. We found this vulnerability internally. Affected versions: LI: 2.3.0 LI: 2.2.0 LI: 2.1.0 LI: 2.0.0 Mitigations: Migrate to the <code>ibm_mq</code> plugin. Vulnerability Management: We have rated the issue with a CVSS Score of 6.5 (Medium) with the following CVSS vector: <code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N</code>. We assigned CVE-2024-3367 to this vulnerability. Changes: The plugin was removed.

1 month

[2.2.0] Checkmk Werk 15198 adapted: Brute-force protection ineffective for some login methods

by Checkmk security werks

Werk 15198 was adapted. The following is the new Werk, a diff is shown at the end of the message. Title: Brute-force protection ineffective for some login methods Class: security Compatible: compat Component: wato Date: 1712665452 Edition: cre Level: 1 Version: 2.2.0p26 Prior to this Werk, the mechanism to lock user accounts after too many failed login attempts was only effective for the web form login method. Login attempts via the REST API and basic authentication did not count towards the lockout mechanism. As a result, an attacker could try to brute-force user passwords without triggering the lockout mechanism. This Werk adds the same locking mechanism to login via the REST API and basic authentication for human user accounts. Note that automation accounts are remain unaffected by the lockout mechanism to avoid having them locked by malicious intent. It is therefore important to use long, random automation secrets. This issue was found during internal review. Affected Versions: LI: 2.3.0 (beta) LI: 2.2.0 LI: 2.1.0 LI: 2.0.0 (EOL) Mitigations: If updating is not possible, the brute-force attempts can be hindered by using a strong password policy. Vulnerability Management: We have rated the issue with a CVSS Score of 5.9 (Medium) with the following CVSS vector: <code>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N</code> and assigned CVE <code>CVE-2024-28825</code>. ------------------------------------<diff>------------------------------------------- Title: Brute-force protection ineffective for some login methods Class: security Compatible: compat Component: wato Date: 1712665452 Edition: cre Level: 1 - Version: 2.2.0p25 ? ^ + Version: 2.2.0p26 ? ^ Prior to this Werk, the mechanism to lock user accounts after too many failed login attempts was only effective for the web form login method. Login attempts via the REST API and basic authentication did not count towards the lockout mechanism. As a result, an attacker could try to brute-force user passwords without triggering the lockout mechanism. This Werk adds the same locking mechanism to login via the REST API and basic authentication for human user accounts. Note that automation accounts are remain unaffected by the lockout mechanism to avoid having them locked by malicious intent. It is therefore important to use long, random automation secrets. This issue was found during internal review. Affected Versions: LI: 2.3.0 (beta) LI: 2.2.0 LI: 2.1.0 LI: 2.0.0 (EOL) Mitigations: If updating is not possible, the brute-force attempts can be hindered by using a strong password policy. Vulnerability Management: We have rated the issue with a CVSS Score of 5.9 (Medium) with the following CVSS vector: <code>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N</code> and assigned CVE <code>CVE-2024-28825</code>.

1 month

[2.1.0] Checkmk Werk 15198 created: Brute-force protection ineffective for some login methods

by Checkmk security werks

Title: Brute-force protection ineffective for some login methods Class: security Compatible: compat Component: wato Date: 1712665452 Edition: cre Level: 1 Version: 2.1.0p42 Prior to this Werk, the mechanism to lock user accounts after too many failed login attempts was only effective for the web form login method. Login attempts via the REST API and basic authentication did not count towards the lockout mechanism. As a result, an attacker could try to brute-force user passwords without triggering the lockout mechanism. This Werk adds the same locking mechanism to login via the REST API and basic authentication for human user accounts. Note that automation accounts are remain unaffected by the lockout mechanism to avoid having them locked by malicious intent. It is therefore important to use long, random automation secrets. This issue was found during internal review. Affected Versions: LI: 2.3.0 (beta) LI: 2.2.0 LI: 2.1.0 LI: 2.0.0 (EOL) Mitigations: If updating is not possible, the brute-force attempts can be hindered by using a strong password policy. Vulnerability Management: We have rated the issue with a CVSS Score of 5.9 (Medium) with the following CVSS vector: <code>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N</code> and assigned CVE <code>CVE-2024-28825</code>.

1 month

[2.2.0] Checkmk Werk 15198 created: Brute-force protection ineffective for some login methods

by Checkmk security werks

Title: Brute-force protection ineffective for some login methods Class: security Compatible: compat Component: wato Date: 1712665452 Edition: cre Level: 1 Version: 2.2.0p25 Prior to this Werk, the mechanism to lock user accounts after too many failed login attempts was only effective for the web form login method. Login attempts via the REST API and basic authentication did not count towards the lockout mechanism. As a result, an attacker could try to brute-force user passwords without triggering the lockout mechanism. This Werk adds the same locking mechanism to login via the REST API and basic authentication for human user accounts. Note that automation accounts are remain unaffected by the lockout mechanism to avoid having them locked by malicious intent. It is therefore important to use long, random automation secrets. This issue was found during internal review. Affected Versions: LI: 2.3.0 (beta) LI: 2.2.0 LI: 2.1.0 LI: 2.0.0 (EOL) Mitigations: If updating is not possible, the brute-force attempts can be hindered by using a strong password policy. Vulnerability Management: We have rated the issue with a CVSS Score of 5.9 (Medium) with the following CVSS vector: <code>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N</code> and assigned CVE <code>CVE-2024-28825</code>.

1 month

[2.4.0] Checkmk Werk 15199 created: Update OpenSSL to version 3.0.13

by Checkmk security werks

[//]: # (werk v2) # Update OpenSSL to version 3.0.13 key | value ---------- | --- date | 2024-04-17T10:08:23+00:00 version | 2.4.0b1 class | security edition | cre component | omd level | 1 compatible | yes OpenSSL was updated to version 3.0.13. OpenSSL 3 uses requirements regarding allowed configurations, such as allowed ciphers, renegotiation, and so on. In some scenarios, this can break monitoring for hosts with TLS configurations that are no longer considered secure. We have published a blog post to help you mitigate these issues, should they affect you: https://checkmk.com/blog/how-monitor-servers-broken-tls-checkmk. To aid automated scanning we assign a CVSS score of 0.0 (None) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N).

1 month

[2.4.0] Checkmk Werk 15198 created: Brute-force protection ineffective for some login methods

by Checkmk security werks

[//]: # (werk v2) # Brute-force protection ineffective for some login methods key | value ---------- | --- date | 2024-04-09T12:24:12+00:00 version | 2.4.0b1 class | security edition | cre component | wato level | 1 compatible | yes Prior to this Werk, the mechanism to lock user accounts after too many failed login attempts was only effective for the web form login method. Login attempts via the REST API and basic authentication did not count towards the lockout mechanism. As a result, an attacker could try to brute-force user passwords without triggering the lockout mechanism. This Werk adds the same locking mechanism to login via the REST API and basic authentication _for human user accounts_. Note that automation accounts are remain unaffected by the lockout mechanism to avoid having them locked by malicious intent. It is therefore important to use long, random automation secrets. This issue was found during internal review. **Affected Versions**: * 2.3.0 (beta) * 2.2.0 * 2.1.0 * 2.0.0 (EOL) **Mitigations**: If updating is not possible, the brute-force attempts can be hindered by using a strong password policy. **Vulnerability Management**: We have rated the issue with a CVSS Score of 5.9 (Medium) with the following CVSS vector: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N` and assigned CVE `CVE-2024-28825`.

1 month

[2.2.0] Checkmk Werk 16615 created: Remove websphere_mq plugin

by Checkmk security werks

Title: Remove websphere_mq plugin Class: security Compatible: compat Component: checks Date: 1710155388 Edition: cre Level: 1 Version: 2.2.0p25 With this Werk the <code>websphere_mq</code> plugin is removed for security reasons. In this plugin the output of <code>ps</code> is used to determine an argument for <code>runmqsc</code>. This meant that anybody who can launch processes with an arbitrary command line could manipulate one argument to <code>runmqsc</code>. The plugin was already superseded by the agent plugin <code>ibm_mq</code> and deprecated with Werk <a href="https://checkmk.com/werk/10752">10752</a> and version 2.0.0. Since this plugin is already deprecated and it was not configurable via the agent bakery we assumed that this plugin is not frequently used. Therefore we decided to not fix the issue but to push the removal. We found this vulnerability internally. Affected versions: LI: 2.3.0 LI: 2.2.0 LI: 2.1.0 LI: 2.0.0 Mitigations: Migrate to the <code>ibm_mq</code> plugin. Vulnerability Management: We have rated the issue with a CVSS Score of 6.5 (Medium) with the following CVSS vector: <code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N</code>. We assigned CVE-2024-3367 to this vulnerability. Changes: The plugin was removed.

1 month, 1 week

[2.4.0] Checkmk Werk 16615 created: Remove websphere_mq plugin

by Checkmk security werks

[//]: # (werk v2) # Remove websphere_mq plugin key | value ---------- | --- date | 2024-03-11T11:09:48+00:00 version | 2.4.0b1 class | security edition | cre component | checks level | 1 compatible | yes With this Werk the `websphere_mq` plugin is removed for security reasons. In this plugin the output of `ps` is used to determine an argument for `runmqsc`. This meant that anybody who can launch processes with an arbitrary command line could manipulate one argument to `runmqsc`. The plugin was already superseded by the agent plugin `ibm_mq` and deprecated with Werk [10752](https://checkmk.com/werk/10752) and version 2.0.0. Since this plugin is already deprecated and it was not configurable via the *agent bakery* we assumed that this plugin is not frequently used. Therefore we decided to not fix the issue but to push the removal. We found this vulnerability internally. __Affected versions__: * 2.3.0 * 2.2.0 * 2.1.0 * 2.0.0 __Mitigations__: Migrate to the `ibm_mq` plugin. __Vulnerability Management__: We have rated the issue with a CVSS Score of 6.5 (Medium) with the following CVSS vector: `CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N`. We assigned CVE-2024-3367 to this vulnerability. __Changes__: The plugin was removed.

1 month, 1 week

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

Checkmk werks security April 2024