Branch: refs/heads/2.1.0
Home:
https://github.com/tribe29/checkmk
Commit: c81da45553eeecdfb2b3e4e5d0bd6ddc986de70d
https://github.com/tribe29/checkmk/commit/c81da45553eeecdfb2b3e4e5d0bd6ddc9…
Author: Hannes Rantzsch <hannes.rantzsch(a)tribe29.com>
Date: 2023-01-24 (Tue, 24 Jan 2023)
Changed paths:
A .werks/15181
M cmk/gui/plugins/userdb/ldap_connector.py
Log Message:
-----------
15181 SEC Improper validation of LDAP user IDs
Prior to this Werk user IDs synced from an LDAP connection were not
properly sanitized. The allowed characters for LDAP users user IDs were
not restricted in the same way as local user IDs.
As a result, malicious actors with the ability to change an LDAP user's
uid attribute were able to, within limits, manipulate files on
the server. For instance, attackers were able to override files in other
users' var/check_mk/web folder, including the deletion of their
stored two-factor credentials (thus disabling 2FA for the affected
user). Additionally, attackers could also lock users out of their
accounts by creating a 2FA-credentials file in the affected user's web
folder.
However, it should be noted that to the best of our knowledge, attackers
could not have impersonated other users or taken over their accounts
directly.
This issue was discovered during internal review.
Affected Versions:
- 2.1.0 previous to this Werk
- 2.0.0 previous to this Werk
- 1.6.0 (EOL)
Mitigations:
Disable LDAP user synchronization.
Indicators of Compromise:
Inspect the list of users in WATO user management (Setup > Users) for
suspicious user IDs from an LDAP connection.
Vulnerability Management:
We have rated the issue with a CVSS Score of 6.8 (Medium) with the
following CVSS vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H.
We have assigned the CVE CVE-2023-0284
Changes:
This Werk adds sanitization to LDAP user IDs. We do not anticipate any
negative impact on legitimate user IDs as the now-forbidden user IDs
could not have been used in a functional way.
CMK-11963
Change-Id: Icb5951e2d544ac821735afbee3263258370d515b