Checkmk werks level1

checkmk-werks-lvl1@lists.checkmk.com

1 participants
15936 discussions

[2.2.0] Checkmk Werk 16172 created: kaspersky_av: Don't run kav4fs-control or kesl-control if they aren't owned by root

by Checkmk werks level 1

Title: kaspersky_av: Don't run kav4fs-control or kesl-control if they aren't owned by root Class: security Compatible: compat Component: checks Date: 1709025290 Edition: cre Level: 1 Version: 2.2.0p24 Kaspersky Anti-Virus plugin uses /opt/kaspersky/kav4fs/bin/kav4fs-control and /opt/kaspersky/kesl/bin/kesl-control commands to monitor a Kaspersky Anti-Virus installation. To prevent privilege escalation, the plugin (which is run by root user) must not run executables which can be changed by less privileged users. In the default installation, kav4fs-control and kesl-control commands are owned by root and root is the only user with write permissions, which prevents privilege escalation attacks. With this Werk, the plugin checks if control commands are owned by root and root is the only user with write permissions before running the command. If that's not the case the commands won't be run. This prevents privilege escalation attacks if the permissions of the control commands have been changed. We rate this with a CVSS of 0 (None) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N). This CVSS is primarily meant to please automatic scanners.

7 months

[2.4.0] Checkmk Werk 16238 created: Add m7i.large as aws resource type

by Checkmk werks level 1

[//]: # (werk v2) # Add m7i.large as aws resource type key | value ---------- | --- compatible | yes version | 2.4.0b1 date | 2024-02-27T12:50:29+00:00 level | 1 class | feature component | checks edition | cre You're affected if your aws_ec2_limits check reported "Unknown resource" and you're using "m7i.large". The aws resource names are changing from time to time and we will need to find a more stable solution for that in the future. But for now, this will be fixed by adding the resource name "m7i.large" to our internal list of aws resources.

7 months

[2.4.0] Checkmk Werk 15320 created: heartbeat_crm_resources: unmanaged stopped resources could not go critical

by Checkmk werks level 1

[//]: # (werk v2) # heartbeat_crm_resources: unmanaged stopped resources could not go critical key | value ---------- | --- date | 2024-01-25T13:39:59+00:00 version | 2.4.0b1 class | fix edition | cre component | checks level | 1 compatible | yes Stopped resources are marked `CRIT`. If a resources was stopped and unmanaged, it was not marked as `CRIT`.

7 months

[2.4.0] Checkmk Werk 15321 created: Fix "State if specific check plugins receive no monitoring data" of Rule "Status of the Checkmk service"

by Checkmk werks level 1

[//]: # (werk v2) # Fix "State if specific check plugins receive no monitoring data" of Rule "Status of the Checkmk service" key | value ---------- | --- date | 2024-01-29T12:49:03+00:00 version | 2.4.0b1 class | fix edition | cre component | checks level | 1 compatible | yes Rule "Status of the Checkmk service" provides a setting called "State if specific check plugins receive no monitoring data" where you can specify a regular expression to match specific check plugins, and assign a status for the "Check_MK" service if this check plugins receives no data. The feature did work correctly if you specified a Status worse than "WARN". But the "Check_MK" service went to "WARN" even if there was an rule to set the status to "OK" if the specific section did not receive any data. This is fixed now.

7 months

[2.4.0] Checkmk Werk 16173 created: symantec_av: Don't run sav command if it isn't owned by root

by Checkmk werks level 1

[//]: # (werk v2) # symantec_av: Don't run sav command if it isn't owned by root key | value ---------- | --- date | 2024-02-28T08:58:09+00:00 version | 2.4.0b1 class | security edition | cre component | checks level | 1 compatible | yes Symantec Anti Virus plugin uses /opt/Symantec/symantec_antivirus/sav command to monitor a Symantec Anti Virus installation. To prevent privilege escalation, the plugin (which is run by root user) must not run executables which can be changed by less privileged users. In the default installation, sav command is owned by root and root is the only user with write permissions, which prevents privilege escalation attacks. With this Werk, the plugin checks if sav command is owned by root and root is the only user with write permissions before running the command. If that's not the case the command won't be run. This prevents privilege escalation attacks if the permissions of the sav command have been changed. We rate this with a CVSS of 0 (None) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N). This CVSS is primarily meant to please automatic scanners. CMK-15318

7 months

[2.4.0] Checkmk Werk 14224 created: Frozen BI: Frozen icon now also indicates if the non-frozen version differs from the frozen one

by Checkmk werks level 1

[//]: # (werk v2) # Frozen BI: Frozen icon now also indicates if the non-frozen version differs from the frozen one key | value ---------- | --- date | 2024-02-27T15:09:59+00:00 version | 2.4.0b1 class | feature edition | cre component | bi level | 1 compatible | yes

7 months

[2.4.0] Checkmk Werk 16237 created: Path to mysql.ini under Windows for mk_sql

by Checkmk werks level 1

[//]: # (werk v2) # Path to mysql.ini under Windows for mk_sql key | value ---------- | --- date | 2024-02-23T11:26:08+00:00 version | 2.4.0b1 class | fix edition | cre component | checks level | 1 compatible | yes If you've been using mysql and the corresponding agent plugin *mk_sql* under Windows, the plugin may have crashed and the agent output would then show the following error: ``` <<<mysql_ping>>> [[MySQL83]] mysqladmin: File '\etc\check_mk\mysql.local.ini' not found (OS errno 2 - No such file or directory) mysqladmin: [ERROR] Stopped processing the 'include' directive in file C:\ProgramData\checkmk\agent\config\mysql.ini at line 8. ``` Under Windows, the plugin config path `C:\ProgramData\checkmk\agent\config` is now used. In contrast to the corresponding Linux plugin `mk_mysql`, the config path under Windows cannot be changed.

7 months

[2.1.0] Checkmk Werk 16361 created: Privilege escalation in Windows agent

by Checkmk werks level 1

Title: Privilege escalation in Windows agent Class: security Compatible: compat Component: checks Date: 1708958658 Edition: cre Level: 1 Version: 2.1.0p40 In order to execute some system commands Checkmk Windows agent writes cmd files to <code>C:\Windows\Temp\</code> and afterwards executes them. The permissions of the files were set restrictive but existing files were not properly handled. If a cmd file already existed and was write protected the agent was not able to rewrite the file but did not handle this case and executed the file nevertheless. We thank Michael Baer (SEC Consult Vulnerability Lab) for reporting this issue. Affected Versions: * 2.2.0 * 2.1.0 * 2.0.0 Indicators of Compromise: The filename of the cmd file needed to be guessed therefore the proof-of-concept creates a lot of files in <code>C\Windows\Temp</code> with the filename <code>cmk_all_\d+_1.cmd</code>. These file-creation events could be monitored. Vulnerability Management: We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector: <code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</code>. We assigned CVE-2024-0670 to this vulnerability. Changes: This Werk changes the temp folder and adds a subfolder with more restrictive permissions in which the files are created. Also errors are handled better.

7 months

[2.2.0] Checkmk Werk 16361 created: Privilege escalation in Windows agent

by Checkmk werks level 1

Title: Privilege escalation in Windows agent Class: security Compatible: compat Component: checks Date: 1708958658 Edition: cre Level: 1 Version: 2.2.0p23 In order to execute some system commands Checkmk Windows agent writes cmd files to `C:\Windows\Temp\` and afterwards executes them. The permissions of the files were set restrictive but existing files were not properly handled. If a cmd file already existed and was write protected the agent was not able to rewrite the file but did not handle this case and executed the file nevertheless. We thank Michael Baer (SEC Consult Vulnerability Lab) for reporting this issue. **Affected Versions**: * 2.2.0 * 2.1.0 * 2.0.0 **Indicators of Compromise**: The filename of the cmd file needed to be guessed therefore the proof-of-concept creates a lot of files in `C\Windows\Temp` with the filename `cmk_all_\d+_1.cmd`. These file-creation events could be monitored. **Vulnerability Management**: We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector: `CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H`. We assigned CVE-2024-0670 to this vulnerability. **Changes**: This Werk changes the temp folder and adds a subfolder with more restrictive permissions in which the files are created. Also errors are handled better.

7 months

[2.2.0] Checkmk Werk 16530 created: Make EC UPDATE command use a list of events

by Checkmk werks level 1

Title: Make EC UPDATE command use a list of events Class: fix Compatible: compat Component: ec Date: 1708958925 Edition: cee Level: 1 Version: 2.2.0p23 Event Console UPDATE command accepts a list of events instead of a single event. With this change the GUI will send a list of events to be updated to the Event Console. This allows for multiple events to be updated in a single command. Avoids the situation where some events are updated and others are not.

7 months

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

Checkmk werks level1