[2.2.0] Checkmk Werk 16198 created: mk_informix: Do not allow privilege escalation

Title: mk_informix: Do not allow privilege escalation Class: security Compatible: compat Component: checks Date: 1709909870 Edition: cre Level: 1 Version: 2.2.0p24 The informix database monitoring plugin would previously <code>eval</code> statements parsed from <code>$INFORMIXDIR/bin/onstat</code>. Since the plugin is usually run as root, this could cause statements injected in <code>$INFORMIXDIR/bin/onstat</code> to be run as root as well. By adding scripts named the same as other functionality found in <code>$PATH</code> to <code>$INFORMIXDIR/bin</code>, <code>$PATH</code> functionality could also be overshadowed and the custom executed as root. Finally, <code>$INFORMIXDIR/bin/onstat</code> would be executed as root, allowing a substituted script to be run with elevated privileges. With this werk, the environment variables will be exported instead and <code>$PATH</code> will now be searched before <code>$INFORMIXDIR/bin</code>. The plugin will now also check if <code>$INFORMIXDIR/bin/onstat</code> belongs to root if the plugin is executed as root. If not, it will be executed as the user owning the executable. This issue was found during internal review. <em>Affected Versions</em>: LI: 2.3.0 (beta) LI: 2.2.0 LI: 2.1.0 LI: 2.0.0 (EOL) <em>Vulnerability Management</em>: We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector: <code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</code> and assigned CVE <code>CVE-2024-28824</code>.