Title: fix a privilege escalation vulnerability in the Checkmk Windows Agent
Class: security
Compatible: compat
Component: checks
Date: 1719843798
Edition: cre
Level: 2
Version: 2.2.0p29
This Werk fixes a privilege escalation vulnerability in the Checkmk Windows
Agent.
Prior to this Werk, it was possible for authenticated users on the monitored
Windows host to execute commands as administrator account that is used to run
the Agent, allowing them to elevate their privileges.
The reason for this issue were excessive write permissions on the
<code>ProgramData\checkmk\agent</code> directory.
Note that you must update Checkmk as well as the agent in order to apply this
fix.
This issue was found in a commissioned penetration test conducted by modzero
GmbH.
<em>Affected Versions</em>:
LI: 2.3.0
LI: 2.2.0
LI: 2.1.0
<em>Mitigations</em>:
If updating is not possible, you can manually remove write access for non-admin
users on the <code>ProgramData\checkmk\agent</code> folder.
To do this, navigate to the folder's property settings and make sure to verify
the special permissions and advanced permission settings in addition to the
basic permission settings.
<em>Vulnerability Management</em>:
We have rated the issue with a CVSS Score of 8.8 High (<code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</code>)
and assigned <code>CVE-2024-28827</code>.
Title: omd restore: Fix RuntimeError: Failed to determine site version
Class: fix
Compatible: compat
Component: omd
Date: 1718107423
Edition: cre
Level: 1
Version: 2.2.0p29
Due to a regression introduced by Werk <a href="https://checkmk.com/werk/16422">Werk #16422</a>, the
command `omd restore <NEW_SITE> <ARCHIVE_PATH>` could fail:
C+:
File "/omd/versions/2.3.0p6.cee/lib/python3/omdlib/main.py", line 3522, in _restore_backup_from_tar
old_site.replacements(),
^^^^^^^^^^^^^^^^^^^^^^^
File "/omd/versions/2.3.0p6.cee/lib/python3/omdlib/contexts.py", line 136, in replacements
raise RuntimeError("Failed to determine site version")
C-:
The failure only occured, if the user provided a site name, which differed from the original name,
and the original site did no longer exist. This crash also affected the `Migrate existing Site`
function of the appliance.
If you are affected by this crash, but are unable to update, then you can start be restoring the
site without a new name. The site can then be renamed with `omd mv`.
Title: Fix Various CSRF Issues
Class: security
Compatible: compat
Component: wato
Date: 1718958734
Edition: cre
Level: 1
Version: 2.2.0p29
This Werk adds priviously missing CSRF-Token validation to various endpoints in WATO.
The lack of CSRF-Token validation could allow an attacker to perform actions on behalf of a user without their consent, by tricking the user into visiting clicking on a malicious link.
This vulnerability was identified during a commissioned penetration test conducted by PS Positive Security GmbH.
<em>Affected Versions</em>:
LI: 2.3.0
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0 (EOL)
<em>Vulnerability Management</em>:
We have rated the issue with a CVSS Score of 8.8 High with the following CVSS vector: <code>CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H</code> and assigned CVE <code>CVE-2024-28828</code>.
Werk 17010 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: XSS in SQL check parameters
Class: security
Compatible: compat
Component: wato
Date: 1718618899
Edition: cre
Level: 1
Version: 2.2.0p29
Prior to this Werk an attacher could add HTML to one parameter of the <em>Check SQL database</em> rule which was executed on the overview page.
We found this vulnerability internally.
<strong>Affected Versions</strong>:
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0 (probably older versions as well)
<strong>Indicators of Compromis</strong>:
The creation of such rules is logged in the audit log. You can therefore check the <code>wato_audit.log</code> either on the terminal or in the UI for entries that contain malicious HTML.
<strong>Vulnerability Management</strong>:
We have rated the issue with a CVSS Score of 6.5 (Medium) with the following CVSS vector: <code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L</code>
We assigned CVE-2024-6052 to this vulnerability.
<strong>Changes</strong>:
This Werk fixes the escaping.
------------------------------------<diff>-------------------------------------------
Title: XSS in SQL check parameters
Class: security
Compatible: compat
Component: wato
Date: 1718618899
Edition: cre
Level: 1
- Version: 2.2.0p28
? ^
+ Version: 2.2.0p29
? ^
Prior to this Werk an attacher could add HTML to one parameter of the <em>Check SQL database</em> rule which was executed on the overview page.
We found this vulnerability internally.
<strong>Affected Versions</strong>:
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0 (probably older versions as well)
<strong>Indicators of Compromis</strong>:
The creation of such rules is logged in the audit log. You can therefore check the <code>wato_audit.log</code> either on the terminal or in the UI for entries that contain malicious HTML.
<strong>Vulnerability Management</strong>:
We have rated the issue with a CVSS Score of 6.5 (Medium) with the following CVSS vector: <code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L</code>
We assigned CVE-2024-6052 to this vulnerability.
<strong>Changes</strong>:
This Werk fixes the escaping.
Title: XSS in SQL check parameters
Class: security
Compatible: compat
Component: wato
Date: 1718618899
Edition: cre
Level: 1
Version: 2.2.0p28
Prior to this Werk an attacher could add HTML to one parameter of the <em>Check SQL database</em> rule which was executed on the overview page.
We found this vulnerability internally.
<strong>Affected Versions</strong>:
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0 (probably older versions as well)
<strong>Indicators of Compromis</strong>:
The creation of such rules is logged in the audit log. You can therefore check the <code>wato_audit.log</code> either on the terminal or in the UI for entries that contain malicious HTML.
<strong>Vulnerability Management</strong>:
We have rated the issue with a CVSS Score of 6.5 (Medium) with the following CVSS vector: <code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L</code>
We assigned CVE-2024-6052 to this vulnerability.
<strong>Changes</strong>:
This Werk fixes the escaping.
[//]: # (werk v2)
# proxmox: Fix log parsing crash for Proxmox versions 3.2.4 and newer
key | value
---------- | ---
compatible | yes
version | 2.3.0p9
date | 2024-06-28T14:34:01+00:00
level | 1
class | fix
component | checks
edition | cre
The backup log format changed in Proxmox version 3.2.4 which resulted in a crash
in the Proxmox special agent.
The special agent can now handle both old and the new format of backup log messages.
Werk 16431 was adapted. The following is the new Werk, a diff is shown at the end of the message.
[//]: # (werk v2)
# omd restore: Fix RuntimeError: Failed to determine site version
key | value
---------- | ---
compatible | yes
version | 2.3.0p9
date | 2024-06-11T12:03:43+00:00
level | 1
class | fix
component | omd
edition | cre
Due to a regression introduced by Werk <a href="https://checkmk.com/werk/16422">Werk #16422</a>, the
command `omd restore <NEW_SITE> <ARCHIVE_PATH>` could fail:
```
File "/omd/versions/2.3.0p6.cee/lib/python3/omdlib/main.py", line 3522, in _restore_backup_from_tar
old_site.replacements(),
^^^^^^^^^^^^^^^^^^^^^^^
File "/omd/versions/2.3.0p6.cee/lib/python3/omdlib/contexts.py", line 136, in replacements
raise RuntimeError("Failed to determine site version")
```
The failure only occured, if the user provided a site name, which differed from the original name,
and the original site did no longer exist. This crash also affected the `Migrate existing Site`
function of the appliance.
If you are affected by this crash, but are unable to update, then you can start be restoring the
site without a new name. The site can then be renamed with `omd mv`.
------------------------------------<diff>-------------------------------------------
[//]: # (werk v2)
# omd restore: Fix RuntimeError: Failed to determine site version
key | value
---------- | ---
compatible | yes
- version | 2.3.0p8
? ^
+ version | 2.3.0p9
? ^
date | 2024-06-11T12:03:43+00:00
level | 1
class | fix
component | omd
edition | cre
Due to a regression introduced by Werk <a href="https://checkmk.com/werk/16422">Werk #16422</a>, the
command `omd restore <NEW_SITE> <ARCHIVE_PATH>` could fail:
```
File "/omd/versions/2.3.0p6.cee/lib/python3/omdlib/main.py", line 3522, in _restore_backup_from_tar
old_site.replacements(),
^^^^^^^^^^^^^^^^^^^^^^^
File "/omd/versions/2.3.0p6.cee/lib/python3/omdlib/contexts.py", line 136, in replacements
raise RuntimeError("Failed to determine site version")
```
The failure only occured, if the user provided a site name, which differed from the original name,
and the original site did no longer exist. This crash also affected the `Migrate existing Site`
function of the appliance.
If you are affected by this crash, but are unable to update, then you can start be restoring the
site without a new name. The site can then be renamed with `omd mv`.
[//]: # (werk v2)
# HW/SW Inventory: Fix missing joined service columns if a service is assigned to a cluster
key | value
---------- | ---
date | 2024-07-01T14:32:58+00:00
version | 2.3.0p9
class | fix
edition | cre
component | multisite
level | 1
compatible | yes
[//]: # (werk v2)
# omd restore: Fix RuntimeError: Failed to determine site version
key | value
---------- | ---
compatible | yes
version | 2.3.0p8
date | 2024-06-11T12:03:43+00:00
level | 1
class | fix
component | omd
edition | cre
Due to a regression introduced by Werk <a href="https://checkmk.com/werk/16422">Werk #16422</a>, the
command `omd restore <NEW_SITE> <ARCHIVE_PATH>` could fail:
```
File "/omd/versions/2.3.0p6.cee/lib/python3/omdlib/main.py", line 3522, in _restore_backup_from_tar
old_site.replacements(),
^^^^^^^^^^^^^^^^^^^^^^^
File "/omd/versions/2.3.0p6.cee/lib/python3/omdlib/contexts.py", line 136, in replacements
raise RuntimeError("Failed to determine site version")
```
The failure only occured, if the user provided a site name, which differed from the original name,
and the original site did no longer exist. This crash also affected the `Migrate existing Site`
function of the appliance.
If you are affected by this crash, but are unable to update, then you can start be restoring the
site without a new name. The site can then be renamed with `omd mv`.
Werk 17010 was adapted. The following is the new Werk, a diff is shown at the end of the message.
[//]: # (werk v2)
# XSS in SQL check parameters
key | value
---------- | ---
date | 2024-06-17T10:08:19+00:00
version | 2.3.0p8
class | security
edition | cre
component | wato
level | 1
compatible | yes
Prior to this Werk an attacher could add HTML to one parameter of the *Check SQL database* rule which was executed on the overview page.
We found this vulnerability internally.
**Affected Versions**:
LI: 2.3.0
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0 (probably older versions as well)
**Indicators of Compromis**:
The creation of such rules is logged in the audit log. You can therefore check the `wato_audit.log` either on the terminal or in the UI for entries that contain malicious HTML.
**Vulnerability Management**:
We have rated the issue with a CVSS Score of 6.5 (Medium) with the following CVSS vector: `CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L`
We assigned CVE-2024-6052 to this vulnerability.
**Changes**:
This Werk fixes the escaping.
------------------------------------<diff>-------------------------------------------
[//]: # (werk v2)
# XSS in SQL check parameters
key | value
---------- | ---
date | 2024-06-17T10:08:19+00:00
- version | 2.3.0p7
? ^
+ version | 2.3.0p8
? ^
class | security
edition | cre
component | wato
level | 1
compatible | yes
Prior to this Werk an attacher could add HTML to one parameter of the *Check SQL database* rule which was executed on the overview page.
We found this vulnerability internally.
**Affected Versions**:
LI: 2.3.0
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0 (probably older versions as well)
**Indicators of Compromis**:
The creation of such rules is logged in the audit log. You can therefore check the `wato_audit.log` either on the terminal or in the UI for entries that contain malicious HTML.
**Vulnerability Management**:
We have rated the issue with a CVSS Score of 6.5 (Medium) with the following CVSS vector: `CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L`
We assigned CVE-2024-6052 to this vulnerability.
**Changes**:
This Werk fixes the escaping.