Branch: refs/heads/2.0.0
Home:
https://github.com/tribe29/checkmk
Commit: 8ee46030488e7bb0b975085f03e1cc748c6c5b03
https://github.com/tribe29/checkmk/commit/8ee46030488e7bb0b975085f03e1cc748…
Author: Maximilian Wirtz <maximilian.wirtz(a)tribe29.com>
Date: 2023-03-01 (Wed, 01 Mar 2023)
Changed paths:
A .werks/15068
Log Message:
-----------
15068 SEC Fix improper certificate validation in agent updater
The compiled version of the agent-updater uses its own collection of trusted Certificate
Authorities.
This collection comes from the Python package certifi and is based on the collection of
Mozilla Firefox.
The used Python package and therefore the collection was outdated and is subject to
CVE-2022-23491.
This collection included a CA certificate of TrustCor which is not considered trustworthy
anymore.
(See:
https://security.googleblog.com/2023/01/sustaining-digital-certificate-secu…)
If an attacker was able to create certificates for arbitrary domains signed by this CA,
machine-in-the-middle attacks could be possible.
To mitigate this vulnerability please update and rollout the agent-updater (typical
agent-update is sufficient).
If an update is currently not possible one can set the <tt>Certificates for HTTPS
verification</tt> option for the agent updater.
If this option is set a custom list of trusted certificates is used to verify the HTTPS
connection instead of the CA collection.
All versions up to 1.6 are vulnerable.
This vulnerability was found internally.
We calculated a CVSS 3.1 score of 6.2 (medium) with the following vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:R
Please note that we rate this rather low since this is more a hypothetical attack and no
wrong-doing of the CA was ever proven.
This also includes these changes:
- 40cd46cfbf7f9da5e68f75f24a272c772f700722.
- I05ffb5a41216740a561a7e574be45b59943bef1c
- I026fc7c30fc4ed10579fb40e5f2995346376084c
- I257fe2b5ae07673002c67162566dbcd14216b006
- I9b925a40fd53ce63d877c55b7b13a178bb716c49
- I0aa79606a5697cdb0e9aff09116e0c23a61cb2a8
- Ia23359a5fb9e3f1fd92b6d1d777e82d85229efe6
Change-Id: Ia23359a5fb9e3f1fd92b6d1d777e82d85229efe6