Checkmk werks level1 July 2024

checkmk-werks-lvl1@lists.checkmk.com

1 participants
398 discussions

[2.3.0] Checkmk Werk 16434 adapted: Synthetic Monitoring: Privilege Escalation

by Checkmk werks level 1

Werk 16434 was adapted. The following is the new Werk, a diff is shown at the end of the message. [//]: # (werk v2) # Synthetic Monitoring: Privilege Escalation key | value ---------- | --- date | 2024-06-24T14:56:31+00:00 version | 2.3.0p8 class | security edition | cee component | agents level | 1 compatible | yes The Robotmk scheduler was affected by a privilege escalation issue. This issue affects users, which have configured the rule `Robotmk scheduler (Windows)`. Specifically, an attacker is able to exploit the issue, if 1. `Automated environment setup (via RCC)` was configured in the `Robotmk scheduler (Windows)` rule, 2. the same plan was configured without configuring `Execute plan as a specific user` 3. and a user on the host, onto which the scheduler has been deployed, was compromised. In this event, the attacker could gain SYSTEM privileges on the host. If `Execute plan as a specific user` _is_ configured, then the attacker could compromise that specific user, rather than SYSTEM. There is a second similar, but distinct issue. If - there are two or more plans configured with `Execute plan as a specific user` with distinct users - and one of the configured users was already compromised. The attacker could then compromise the other user. *Background*: The Robotmk scheduler is started by the Checkmk agent that runs with SYSTEM privileges. Moreover, Robotmk allows the user to automatically build Python environments via RCC. During setup the scheduler would enable a RCC feature called `shared holotree usage`. This feature allows all users on the host to edit these Python environments. Thus, any compromised user on the host is also able to compromise a user, which executes code from these shared environments. With this Werk, `shared holotree usage` will no longer be enabled. Affected users will have their access to the vulnerable Python environments revoked. Moreover, the permissions inside of the working directory of Robotmk have been reworked. Users now only have access to directories, which are required for their own executions. Note, you must update both Checkmk and redeploy the latest Robotmk Scheduler. *Affected Versions*: * 2.3.0 *Mitigations*: If updating is not possible: * Do not use the rule `Automated environment setup (via RCC)`. * Always use the same user for `Execute plan as a specific user`. *Vulnerability Management*: We have rated the issue with a CVSS Score of 7.8 (High) with the following CVSS vector: `CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`. CVE-2024-39934 has been assigned to this issue. ------------------------------------<diff>------------------------------------------- [//]: # (werk v2) # Synthetic Monitoring: Privilege Escalation key | value ---------- | --- date | 2024-06-24T14:56:31+00:00 - version | 2.3.0p11 ? ^^ + version | 2.3.0p8 ? ^ class | security edition | cee component | agents level | 1 compatible | yes The Robotmk scheduler was affected by a privilege escalation issue. This issue affects users, which have configured the rule `Robotmk scheduler (Windows)`. Specifically, an attacker is able to exploit the issue, if 1. `Automated environment setup (via RCC)` was configured in the `Robotmk scheduler (Windows)` rule, 2. the same plan was configured without configuring `Execute plan as a specific user` 3. and a user on the host, onto which the scheduler has been deployed, was compromised. In this event, the attacker could gain SYSTEM privileges on the host. If `Execute plan as a specific user` _is_ configured, then the attacker could compromise that specific user, rather than SYSTEM. There is a second similar, but distinct issue. If - there are two or more plans configured with `Execute plan as a specific user` with distinct users - and one of the configured users was already compromised. The attacker could then compromise the other user. *Background*: The Robotmk scheduler is started by the Checkmk agent that runs with SYSTEM privileges. Moreover, Robotmk allows the user to automatically build Python environments via RCC. During setup the scheduler would enable a RCC feature called `shared holotree usage`. This feature allows all users on the host to edit these Python environments. Thus, any compromised user on the host is also able to compromise a user, which executes code from these shared environments. With this Werk, `shared holotree usage` will no longer be enabled. Affected users will have their access to the vulnerable Python environments revoked. Moreover, the permissions inside of the working directory of Robotmk have been reworked. Users now only have access to directories, which are required for their own executions. Note, you must update both Checkmk and redeploy the latest Robotmk Scheduler. *Affected Versions*: * 2.3.0 *Mitigations*: If updating is not possible: * Do not use the rule `Automated environment setup (via RCC)`. * Always use the same user for `Execute plan as a specific user`. *Vulnerability Management*: We have rated the issue with a CVSS Score of 7.8 (High) with the following CVSS vector: `CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`. CVE-2024-39934 has been assigned to this issue.

1 month, 2 weeks

[2.3.0] Checkmk Werk 15714 adapted: Add support for Checkmk Appliance 1.7+

by Checkmk werks level 1

Werk 15714 was adapted. The following is the new Werk, a diff is shown at the end of the message. Title: Add support for Checkmk Appliance 1.7+ Class: feature Compatible: compat Component: distros Date: 1701285077 Edition: cre Level: 2 Version: 2.3.0b1 ------------------------------------<diff>------------------------------------------- Title: Add support for Checkmk Appliance 1.7+ Class: feature Compatible: compat Component: distros Date: 1701285077 Edition: cre Level: 2 - Version: 2.2.0p17 ? ^ ^ - + Version: 2.3.0b1 ? ^ ^ -

1 month, 2 weeks

[2.3.0] Checkmk Werk 16589 adapted: Monitor Redfish compatible management boards / BMCs via optional MKP

by Checkmk werks level 1

Werk 16589 was adapted. The following is the new Werk, a diff is shown at the end of the message. [//]: # (werk v2) # Monitor Redfish compatible management boards / BMCs via optional MKP key | value ---------- | --- date | 2024-03-06T16:44:06+00:00 version | 2.3.0b3 class | feature edition | cre component | checks level | 1 compatible | yes You can now monitor _Redfish_ compatible management boards / BMCs with Checkmk. To do so, please enable the natively shipped MKP redfish in _Setup --> Extension packages_ (in commercial editions of Checkmk) or via the command line tool `mkp` (in Checkmk Raw). This will enable a new datasource program under _Setup --> Other integrations --> Redfish Compatible Management Controller_. This is an experimental integration created and supported by the Checkmk community (Andreas Döhler/Yogibaer75), which has already been tested in many environments. However, due to the diverse nature of server hardware, we plan to integrate it entirely for Checkmk 2.4.0, once we have gathered further feedback. You can find the latest versions of the extensions in [Andreas' GitHub repository](https://github.com/Yogibaer75/Check_MK-Things/tree/master/check…. There you can also raise issues or raise pull requests until the plug-ins will be mainlined into Checkmk. ------------------------------------<diff>------------------------------------------- [//]: # (werk v2) # Monitor Redfish compatible management boards / BMCs via optional MKP key | value ---------- | --- date | 2024-03-06T16:44:06+00:00 - version | 2.3.0p11 ? ^^^ + version | 2.3.0b3 ? ^^ class | feature edition | cre component | checks level | 1 compatible | yes You can now monitor _Redfish_ compatible management boards / BMCs with Checkmk. To do so, please enable the natively shipped MKP redfish in _Setup --> Extension packages_ (in commercial editions of Checkmk) or via the command line tool `mkp` (in Checkmk Raw). This will enable a new datasource program under _Setup --> Other integrations --> Redfish Compatible Management Controller_. This is an experimental integration created and supported by the Checkmk community (Andreas Döhler/Yogibaer75), which has already been tested in many environments. However, due to the diverse nature of server hardware, we plan to integrate it entirely for Checkmk 2.4.0, once we have gathered further feedback. You can find the latest versions of the extensions in [Andreas' GitHub repository](https://github.com/Yogibaer75/Check_MK-Things/tree/master/check…. There you can also raise issues or raise pull requests until the plug-ins will be mainlined into Checkmk.

1 month, 2 weeks

[2.3.0] Checkmk Werk 15373 adapted: time_period: disallow builtin timeperiod as the exclude option

by Checkmk werks level 1

Werk 15373 was adapted. The following is the new Werk, a diff is shown at the end of the message. Title: time_period: disallow builtin timeperiod as the exclude option Class: fix Compatible: compat Component: config Date: 1676358006 Edition: cre Knowledge: doc Level: 1 Version: 2.3.0b1 This werk fixes an issue where the user could via the gui interface, select the builtin time period 24X7 as the timeperiod to exclude in a custom time period. This is no longer possible. If there are no other time periods to select, the exclude option will not be shown. ------------------------------------<diff>------------------------------------------- Title: time_period: disallow builtin timeperiod as the exclude option Class: fix Compatible: compat Component: config Date: 1676358006 Edition: cre Knowledge: doc Level: 1 - Version: 2.2.0b1 ? ^ + Version: 2.3.0b1 ? ^ This werk fixes an issue where the user could via the gui interface, select the builtin time period 24X7 as the timeperiod to exclude in a custom time period. This is no longer possible. If there are no other time periods to select, the exclude option will not be shown. -

1 month, 2 weeks

[2.3.0] Checkmk Werk 16809 adapted: check_by_ssh: Crashed in 2.3 beta if 'timeout' was configured

by Checkmk werks level 1

Werk 16809 was adapted. The following is the new Werk, a diff is shown at the end of the message. [//]: # (werk v2) # check_by_ssh: Crashed in 2.3 beta if 'timeout' was configured key | value ---------- | --- date | 2024-04-25T10:27:15+00:00 version | 2.3.0p1 class | fix edition | cre component | checks level | 1 compatible | yes ------------------------------------<diff>------------------------------------------- [//]: # (werk v2) # check_by_ssh: Crashed in 2.3 beta if 'timeout' was configured key | value ---------- | --- date | 2024-04-25T10:27:15+00:00 - version | 2.3.0b7 ? ^^ + version | 2.3.0p1 ? ^^ class | fix edition | cre component | checks level | 1 compatible | yes - -

1 month, 2 weeks

[2.3.0] Checkmk Werk 16682 adapted: Ruleset API: Fix migration with scaling of SimpleLevels

by Checkmk werks level 1

Werk 16682 was adapted. The following is the new Werk, a diff is shown at the end of the message. [//]: # (werk v2) # Ruleset API: Fix migration with scaling of SimpleLevels key | value ---------- | --- date | 2024-04-17T11:19:36+00:00 version | 2.3.0b6 class | fix edition | cre component | checks level | 1 compatible | no This change is relevant to plugin developers The migration helper functions `migrate_to_integer_simple_levels` and `migrate_to_float_simple_levels` for `SimpleLevels` currently apply the scaling factor (if given) every time the migration is run, meaning also to the already migrated value. This means any rule where these helpers are used with a scaling factor will have incorrect values and will have to be manually corrected. No shipped rules are affected by this. ------------------------------------<diff>------------------------------------------- [//]: # (werk v2) # Ruleset API: Fix migration with scaling of SimpleLevels key | value ---------- | --- date | 2024-04-17T11:19:36+00:00 - version | 2.3.0 + version | 2.3.0b6 ? ++ class | fix edition | cre component | checks level | 1 compatible | no This change is relevant to plugin developers The migration helper functions `migrate_to_integer_simple_levels` and `migrate_to_float_simple_levels` for `SimpleLevels` currently apply the scaling factor (if given) every time the migration is run, meaning also to the already migrated value. This means any rule where these helpers are used with a scaling factor will have incorrect values and will have to be manually corrected. No shipped rules are affected by this. -

1 month, 2 weeks

[2.3.0] Checkmk Werk 17152 created: Re-introduce missing requirement documentation for interface check

by Checkmk werks level 1

[//]: # (werk v2) # Re-introduce missing requirement documentation for interface check key | value ---------- | --- date | 2024-07-30T15:18:46+00:00 version | 2.3.0p12 class | fix edition | cre component | checks level | 1 compatible | yes During consolidation of various interface checks, necessary prerequisites for the Solaris and HP-UX were omitted from the documentation. In this werk, https://checkmk.com/integrations/interfaces is updated include the necessary prerequisites to monitor network interfaces on all operating systems again.

1 month, 2 weeks

[2.4.0] Checkmk Werk 17151 created: Make Microsoft IIS monitoring locale independent

by Checkmk werks level 1

[//]: # (werk v2) # Make Microsoft IIS monitoring locale independent key | value ---------- | --- date | 2024-07-24T12:52:15+00:00 version | 2.4.0b1 class | fix edition | cre component | checks level | 1 compatible | no Previously, the agent requesting the IIS App Pool state was hard-coded to work only on host machines localized in English. In this werk, the agent has been updated to work independently of host system locale. **Incompatible Change:** You have to redeploy the agent plugin in order to apply this feature.

1 month, 2 weeks

[2.4.0] Checkmk Werk 17152 created: Re-introduce missing requirement documentation for interface check

by Checkmk werks level 1

[//]: # (werk v2) # Re-introduce missing requirement documentation for interface check key | value ---------- | --- date | 2024-07-30T15:18:46+00:00 version | 2.4.0b1 class | fix edition | cre component | checks level | 1 compatible | yes During consolidation of various interface checks, necessary prerequisites for the Solaris and HP-UX were omitted from the documentation. In this werk, https://checkmk.com/integrations/interfaces is updated include the necessary prerequisites to monitor network interfaces on all operating systems again.

1 month, 2 weeks

[2.4.0] Checkmk Werk 17121 created: users: allow user edit saving when 'authorized_sites' attribute is locked

by Checkmk werks level 1

[//]: # (werk v2) # users: allow user edit saving when 'authorized_sites' attribute is locked key | value ---------- | --- date | 2024-07-29T12:08:49+00:00 version | 2.4.0b1 class | fix edition | cre component | wato level | 1 compatible | yes Prior to this werk, an error occurred when attempting to save the user edit page if the 'authorized_sites' attribute was locked. This werk resolves the issue.

1 month, 2 weeks

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

Checkmk werks level1 July 2024