[checkmk-commits] [tribe29/checkmk] c81da4: 15181 SEC Improper validation of LDAP user IDs

Branch: refs/heads/2.1.0 Home: https://github.com/tribe29/checkmk Commit: c81da45553eeecdfb2b3e4e5d0bd6ddc986de70d https://github.com/tribe29/checkmk/commit/c81da45553eeecdfb2b3e4e5d0bd6ddc9… Author: Hannes Rantzsch <hannes.rantzsch(a)tribe29.com> Date: 2023-01-24 (Tue, 24 Jan 2023) Changed paths: A .werks/15181 M cmk/gui/plugins/userdb/ldap_connector.py Log Message: ----------- 15181 SEC Improper validation of LDAP user IDs Prior to this Werk user IDs synced from an LDAP connection were not properly sanitized. The allowed characters for LDAP users user IDs were not restricted in the same way as local user IDs. As a result, malicious actors with the ability to change an LDAP user's uid attribute were able to, within limits, manipulate files on the server. For instance, attackers were able to override files in other users' var/check_mk/web folder, including the deletion of their stored two-factor credentials (thus disabling 2FA for the affected user). Additionally, attackers could also lock users out of their accounts by creating a 2FA-credentials file in the affected user's web folder. However, it should be noted that to the best of our knowledge, attackers could not have impersonated other users or taken over their accounts directly. This issue was discovered during internal review. Affected Versions: - 2.1.0 previous to this Werk - 2.0.0 previous to this Werk - 1.6.0 (EOL) Mitigations: Disable LDAP user synchronization. Indicators of Compromise: Inspect the list of users in WATO user management (Setup > Users) for suspicious user IDs from an LDAP connection. Vulnerability Management: We have rated the issue with a CVSS Score of 6.8 (Medium) with the following CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H. We have assigned the CVE CVE-2023-0284 Changes: This Werk adds sanitization to LDAP user IDs. We do not anticipate any negative impact on legitimate user IDs as the now-forbidden user IDs could not have been used in a functional way. CMK-11963 Change-Id: Icb5951e2d544ac821735afbee3263258370d515b