Branch: refs/heads/1.6.0
Home:
https://github.com/tribe29/checkmk
Commit: bd2963292a03b7245c6c75b8803de323d381fa9b
https://github.com/tribe29/checkmk/commit/bd2963292a03b7245c6c75b8803de323d…
Author: Hannes Rantzsch <hannes.rantzsch(a)tribe29.com>
Date: 2022-08-25 (Thu, 25 Aug 2022)
Changed paths:
A .werks/14381
M notifications/sms
Log Message:
-----------
14381 SEC Fix command injection in SMS notification script
Previous to this Werk it was possible to inject arbitrary shell commands
when sending SMS notifications. For this, attackers would have needed to
place a crafted string in a user's Pager Address, which was not properly
escaped by the SMS script.
In most setups, this issue will not be exploitable: Changing a user's
Pager Address requires the User Management permission. Users with that
permission are effectively Administrators and can thus already
legitimately execute code in the Site context. Note however, that in
some setups the attribute can also be configured by external interfaces,
for example via LDAP User Synchronization.
<b>Affected Versions</b>: All currently supported versions are affected:
1.6, 2.0, and 2.1.
<b>Mitigations</b>: As an immediate mitigation all notifications via the
method "SMS (using smstools)" can be disabled. Note that users' personal
notification rules are affected as well.
<b>Indicators of Compromise</b>: If you suspect this issue might have
been exploited in your installation, validate users' Pager Address
fields. Check the Audit Log for changes to this field.
<b>Vulnerability Management</b>: We have rated the issue with a CVSS
Score of 8.0 (High) with the following CVSS vector:
<tt>CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H</tt>. A CVE has been
requested.
<b>Changes</b>: This Werk replaces a hazardous call to
<tt>os.system</tt> by a safer alternative and adds additional validation
to the Pager Address before attempting to send SMS to it. Valid Pager
Addresses may now include letters, numbers, space characters, any of the
characters <tt>. / - ()</tt>, as well as a <tt>+</tt> character at
the
beginning.
Change-Id: I75d5ea3ac8cc3e0e9eb9390cef2d70cfa4cac38d
Commit: 364d2c35ce060e23e780300b6be42545a1c835a0
https://github.com/tribe29/checkmk/commit/364d2c35ce060e23e780300b6be42545a…
Author: Hannes Rantzsch <hannes.rantzsch(a)tribe29.com>
Date: 2022-08-29 (Mon, 29 Aug 2022)
Changed paths:
A .werks/14383
M cmk/gui/plugins/userdb/hook_auth.py
M cmk/gui/watolib/tags.py
M cmk/gui/watolib/utils.py
M tests/unit/cmk/gui/watolib/test_watolib.py
Log Message:
-----------
14383 SEC Fix code injection in watolib
This Werk fixes a code injection vulnerability in watolib.
Prior to this Werk it was possible for authenticated users to inject PHP
code in files generated by Wato for NagVis integration. The code would
be executed once a request to the respective NagVis component is made.
The underlying reason for this issue was that user data entered in Wato
was not properly sanitized when writing to the PHP file.
We thank Stefan Schiller (SonarSource) for reporting this issue.
Affected Versions: All currently supported versions are affected:
1.6, 2.0, and 2.1.
Mitigations: As an immediate mitigation you can entirely disable
PHP on your server. Note that NagVis will not work anymore without PHP.
Indicators of Compromise: Malicious code is injected in either of
the files <tt>var/check_mk/wato/auth/auth.php</tt> or
<tt>var/check_mk/wato/php-api/hosttags.php</tt>. Check these files for
suspicious code.
Vulnerability Management: We have rated the issue with a CVSS
Score of 9.1 (Critical) with the following CVSS vector:
<tt>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L</tt>. A CVE has been
requested.
Changes: This Werk fixes the vulnerability by improving
sanitization.
CMK-11206
Change-Id: I54e0dc8ed44df4cbb4d873de2bab9b91f391368c
Commit: 5270f8ea1ee80ca492884ebde0c3d077fcc7dbfb
https://github.com/tribe29/checkmk/commit/5270f8ea1ee80ca492884ebde0c3d077f…
Author: Hannes Rantzsch <hannes.rantzsch(a)tribe29.com>
Date: 2022-08-29 (Mon, 29 Aug 2022)
Changed paths:
M cmk/gui/plugins/userdb/hook_auth.py
Log Message:
-----------
fix broken import
restore code duplication
Change-Id: Ic4c357dbd31fc9eb16de9e35a97de2af9792ca31
Commit: ece97ab915aa3335e4e10e65eb4b3184fd7caba6
https://github.com/tribe29/checkmk/commit/ece97ab915aa3335e4e10e65eb4b3184f…
Author: Lars Michelsen <lm(a)tribe29.com>
Date: 2022-08-30 (Tue, 30 Aug 2022)
Changed paths:
A .werks/14291
R omd/packages/nagvis/nagvis-1.9.29.tar.gz
A omd/packages/nagvis/nagvis-1.9.34.tar.gz
M omd/packages/nagvis/nagvis.make
Log Message:
-----------
14291 SEC NagVis: Updated to 1.9.34 (Fix security issues)
This update of NagVis fixes the following security issues:
1. Fix SSRF (triggerable by admin users)
An administrative user with access to the global options, could perform a
server-side request forgery.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L (8.2)
2. Fix arbitrary file read
An authenticated attacker can read arbitrary files with the permissions of the
web server user.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L (9.1)
3. Fix type juggling vulnerability in cookie hash processing
An attacker could bypass the authentication and gain access to the NagVis
component of checkmk.
Change-Id: I014996ba270dc1fc0ef7829ee85f8f716aa9cd03
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N (3.7)
Compare:
https://github.com/tribe29/checkmk/compare/58546036bf54...ece97ab915aa