by Checkmk security werks and security announcements
Werk 17145 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: Information leak in mknotifyd
Class: security
Compatible: compat
Component: notifications
Date: 1721042620
Edition: cee
Level: 1
Version: 2.2.0p36
When a notification context is sent to mknotifyd a "result message" is generated by mknotifyd and sent back so the original site so it can show if there were problems handling that notification.
This result message could contain secrets that were not meant to be sent to remote sites, e.g. passwords/secrets.
These secrets were not processed by the remote site but a rough site would have been able to retrieve these.
This issue was found during internal review.
<em>Affected Versions</em>:
LI: 2.3.0
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0 (EOL)
<em>Vulnerability Management</em>:
We have rated the issue with a CVSS Score of 5.3 Medium (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>) and assigned <code>CVE-2024-6747</code>.
------------------------------------<diff>-------------------------------------------
Title: Information leak in mknotifyd
Class: security
Compatible: compat
Component: notifications
Date: 1721042620
Edition: cee
Level: 1
- Version: 2.2.0p35
? ^
+ Version: 2.2.0p36
? ^
When a notification context is sent to mknotifyd a "result message" is generated by mknotifyd and sent back so the original site so it can show if there were problems handling that notification.
This result message could contain secrets that were not meant to be sent to remote sites, e.g. passwords/secrets.
These secrets were not processed by the remote site but a rough site would have been able to retrieve these.
This issue was found during internal review.
<em>Affected Versions</em>:
LI: 2.3.0
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0 (EOL)
<em>Vulnerability Management</em>:
We have rated the issue with a CVSS Score of 5.3 Medium (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>) and assigned <code>CVE-2024-6747</code>.
by Checkmk security werks and security announcements
Werk 17095 was adapted. The following is the new Werk, a diff is shown at the end of the message.
[//]: # (werk v2)
# Sanitize Host and Folder Credentials in Audit Log
key | value
---------- | ---
date | 2024-10-07T05:57:04+00:00
version | 2.3.0p18
class | security
edition | cre
component | wato
level | 1
compatible | no
Before this Werk, adding, changing, or removing SNMP and IMPI credentials in a host or folder's properties would log those credentials in the WATO audit log. Now, credentials are masked before being written to the log.
The affected logs, both via the rendering functionality in WATO as well as the files on the file system, are only accessible to authenticated users.
This issue was found during internal review.
*Affected Versions*:
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0 (EOL)
*Recommendations*:
We have marked this Werk incompatible because we recommend taking manual action:
Consider rotating affected credentials.
If that is not feasible, consider sanitizing the log files.
Also take into account that log files containing credentials might have been written to backups.
The affected log files can be found in `~/var/check_mk/wato/log`.
Note that, before Checkmk 2.3.0p18, entries in the files were not separated by newlines but by null bytes.
So they would appear as one long line.
Entries that might contain credentials are all entries where the `'action'` is `'edit-folder'` or `'edit-host'`, and the `'diff_text'` contains any of the following strings:
* `Attribute "snmp_community"`
* `Value of "snmp_community"`
* `Attribute "management_snmp_community"`
* `Value of "management_snmp_community"`
* `Attribute "management_ipmi_credentials"`
* `Value of "management_ipmi_credentials"`
*Vulnerability Management*:
We have rated the issue with a CVSS Score of 5.1 Medium (`CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N`) and assigned `CVE-2024-38862`.
------------------------------------<diff>-------------------------------------------
[//]: # (werk v2)
# Sanitize Host and Folder Credentials in Audit Log
key | value
---------- | ---
date | 2024-10-07T05:57:04+00:00
version | 2.3.0p18
class | security
edition | cre
component | wato
level | 1
compatible | no
Before this Werk, adding, changing, or removing SNMP and IMPI credentials in a host or folder's properties would log those credentials in the WATO audit log. Now, credentials are masked before being written to the log.
The affected logs, both via the rendering functionality in WATO as well as the files on the file system, are only accessible to authenticated users.
This issue was found during internal review.
*Affected Versions*:
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0 (EOL)
*Recommendations*:
We have marked this Werk incompatible because we recommend taking manual action:
Consider rotating affected credentials.
If that is not feasible, consider sanitizing the log files.
Also take into account that log files containing credentials might have been written to backups.
The affected log files can be found in `~/var/check_mk/wato/log`.
- Note that entries in the files are not separated by newlines, but by null bytes, so they will appear as one long line.
+ Note that, before Checkmk 2.3.0p18, entries in the files were not separated by newlines but by null bytes.
+ So they would appear as one long line.
Entries that might contain credentials are all entries where the `'action'` is `'edit-folder'` or `'edit-host'`, and the `'diff_text'` contains any of the following strings:
* `Attribute "snmp_community"`
* `Value of "snmp_community"`
* `Attribute "management_snmp_community"`
* `Value of "management_snmp_community"`
* `Attribute "management_ipmi_credentials"`
* `Value of "management_ipmi_credentials"`
*Vulnerability Management*:
We have rated the issue with a CVSS Score of 5.1 Medium (`CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N`) and assigned `CVE-2024-38862`.
by Checkmk security werks and security announcements
Werk 17095 was adapted. The following is the new Werk, a diff is shown at the end of the message.
[//]: # (werk v2)
# Sanitize Host and Folder Credentials in Audit Log
key | value
---------- | ---
date | 2024-10-07T05:57:04+00:00
version | 2.4.0b1
class | security
edition | cre
component | wato
level | 1
compatible | no
Before this Werk, adding, changing, or removing SNMP and IMPI credentials in a host or folder's properties would log those credentials in the WATO audit log. Now, credentials are masked before being written to the log.
The affected logs, both via the rendering functionality in WATO as well as the files on the file system, are only accessible to authenticated users.
This issue was found during internal review.
*Affected Versions*:
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0 (EOL)
*Recommendations*:
We have marked this Werk incompatible because we recommend taking manual action:
Consider rotating affected credentials.
If that is not feasible, consider sanitizing the log files.
Also take into account that log files containing credentials might have been written to backups.
The affected log files can be found in `~/var/check_mk/wato/log`.
Note that, before Checkmk 2.3.0p18, entries in the files were not separated by newlines but by null bytes.
So they would appear as one long line.
Entries that might contain credentials are all entries where the `'action'` is `'edit-folder'` or `'edit-host'`, and the `'diff_text'` contains any of the following strings:
* `Attribute "snmp_community"`
* `Value of "snmp_community"`
* `Attribute "management_snmp_community"`
* `Value of "management_snmp_community"`
* `Attribute "management_ipmi_credentials"`
* `Value of "management_ipmi_credentials"`
*Vulnerability Management*:
We have rated the issue with a CVSS Score of 5.1 Medium (`CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N`) and assigned `CVE-2024-38862`.
------------------------------------<diff>-------------------------------------------
[//]: # (werk v2)
# Sanitize Host and Folder Credentials in Audit Log
key | value
---------- | ---
date | 2024-10-07T05:57:04+00:00
version | 2.4.0b1
class | security
edition | cre
component | wato
level | 1
compatible | no
Before this Werk, adding, changing, or removing SNMP and IMPI credentials in a host or folder's properties would log those credentials in the WATO audit log. Now, credentials are masked before being written to the log.
The affected logs, both via the rendering functionality in WATO as well as the files on the file system, are only accessible to authenticated users.
This issue was found during internal review.
*Affected Versions*:
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0 (EOL)
*Recommendations*:
We have marked this Werk incompatible because we recommend taking manual action:
Consider rotating affected credentials.
If that is not feasible, consider sanitizing the log files.
Also take into account that log files containing credentials might have been written to backups.
The affected log files can be found in `~/var/check_mk/wato/log`.
- Note that entries in the files are not separated by newlines, but by null bytes, so they will appear as one long line.
+ Note that, before Checkmk 2.3.0p18, entries in the files were not separated by newlines but by null bytes.
+ So they would appear as one long line.
Entries that might contain credentials are all entries where the `'action'` is `'edit-folder'` or `'edit-host'`, and the `'diff_text'` contains any of the following strings:
* `Attribute "snmp_community"`
* `Value of "snmp_community"`
* `Attribute "management_snmp_community"`
* `Value of "management_snmp_community"`
* `Attribute "management_ipmi_credentials"`
* `Value of "management_ipmi_credentials"`
*Vulnerability Management*:
We have rated the issue with a CVSS Score of 5.1 Medium (`CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N`) and assigned `CVE-2024-38862`.
by Checkmk security werks and security announcements
Title: Information leak in mknotifyd
Class: security
Compatible: compat
Component: notifications
Date: 1721042620
Edition: cee
Level: 1
Version: 2.1.0p49
When a notification context is sent to mknotifyd a "result message" is generated by mknotifyd and sent back so the original site so it can show if there were problems handling that notification.
This result message could contain secrets that were not meant to be sent to remote sites, e.g. passwords/secrets.
These secrets were not processed by the remote site but a rough site would have been able to retrieve these.
This issue was found during internal review.
<em>Affected Versions</em>:
LI: 2.3.0
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0 (EOL)
<em>Vulnerability Management</em>:
We have rated the issue with a CVSS Score of 5.3 Medium (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>) and assigned <code>CVE-2024-6747</code>.
by Checkmk security werks and security announcements
Title: CSRF token leaked in URL parameters (CVE-2024-38863)
Class: security
Compatible: compat
Component: wato
Date: 1728280120
Edition: cre
Level: 1
Version: 2.1.0p48
Before this Werk, the CSRF token was mistakenly included as a query parameter in certain URLs when navigating Checkmk, which could result in the token being saved in bookmarks.
This increased the risk of unintentional exposure, such as when sharing bookmarks with other users.
The issue has been resolved.
While storing or unintentionally exposing the token doesn't present an immediate security threat, it could potentially enable phishing attacks targeting the specific user for the duration of the token's validity.
In Checkmk, CSRF tokens remain valid for the session's duration (configured under Global settings > Session management).
This issue was found during internal review.
<em>Affected Versions</em>:
LI: 2.3.0
LI: 2.2.0
LI: 2.1.0
<em>Mitigations</em>:
Avoid sharing or exposing URLs that contain the query parameter <code>csrf_token=</code>.
<em>Vulnerability Management</em>:
We have rated the issue with a CVSS Score of 2.0 Low (<code>CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:L/SA:L</code>) and assigned <code>CVE-2024-38863</code>.
by Checkmk security werks and security announcements
Title: Sanitize Host and Folder Credentials in Audit Log
Class: security
Compatible: incomp
Component: wato
Date: 1728280624
Edition: cre
Level: 1
Version: 2.1.0p48
Before this Werk, adding, changing, or removing SNMP and IMPI credentials in a host or folder's properties would log those credentials in the WATO audit log. Now, credentials are masked before being written to the log.
The affected logs, both via the rendering functionality in WATO as well as the files on the file system, are only accessible to authenticated users.
This issue was found during internal review.
<em>Affected Versions</em>:
LI: 2.3.0
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0 (EOL)
<em>Recommendations</em>:
We have marked this Werk incompatible because we recommend taking manual action:
Consider rotating affected credentials.
If that is not feasible, consider sanitizing the log files.
Also take into account that log files containing credentials might have been written to backups.
The affected log files can be found in <code>~/var/check_mk/wato/log</code>.
Note that entries in the files are not separated by newlines, but by null bytes, so they will appear as one long line.
Entries that might contain credentials are all entries where the <code>'action'</code> is <code>'edit-folder'</code> or <code>'edit-host'</code>, and the <code>'diff_text'</code> contains any of the following strings:
LI: <code>Attribute "snmp_community"</code>
LI: <code>Value of "snmp_community"</code>
LI: <code>Attribute "management_snmp_community"</code>
LI: <code>Value of "management_snmp_community"</code>
LI: <code>Attribute "management_ipmi_credentials"</code>
LI: <code>Value of "management_ipmi_credentials"</code>
<em>Vulnerability Management</em>:
We have rated the issue with a CVSS Score of 5.1 Medium (<code>CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N</code>) and assigned <code>CVE-2024-38862</code>.
by Checkmk security werks and security announcements
Title: Information leak in mknotifyd
Class: security
Compatible: compat
Component: notifications
Date: 1721042620
Edition: cee
Level: 1
Version: 2.2.0p35
When a notification context is sent to mknotifyd a "result message" is generated by mknotifyd and sent back so the original site so it can show if there were problems handling that notification.
This result message could contain secrets that were not meant to be sent to remote sites, e.g. passwords/secrets.
These secrets were not processed by the remote site but a rough site would have been able to retrieve these.
This issue was found during internal review.
<em>Affected Versions</em>:
LI: 2.3.0
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0 (EOL)
<em>Vulnerability Management</em>:
We have rated the issue with a CVSS Score of 5.3 Medium (<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>) and assigned <code>CVE-2024-6747</code>.
by Checkmk security werks and security announcements
Title: Sanitize Host and Folder Credentials in Audit Log
Class: security
Compatible: incomp
Component: wato
Date: 1728280624
Edition: cre
Level: 1
Version: 2.2.0p35
Before this Werk, adding, changing, or removing SNMP and IMPI credentials in a host or folder's properties would log those credentials in the WATO audit log. Now, credentials are masked before being written to the log.
The affected logs, both via the rendering functionality in WATO as well as the files on the file system, are only accessible to authenticated users.
This issue was found during internal review.
<em>Affected Versions</em>:
LI: 2.3.0
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0 (EOL)
<em>Recommendations</em>:
We have marked this Werk incompatible because we recommend taking manual action:
Consider rotating affected credentials.
If that is not feasible, consider sanitizing the log files.
Also take into account that log files containing credentials might have been written to backups.
The affected log files can be found in <code>~/var/check_mk/wato/log</code>.
Note that entries in the files are not separated by newlines, but by null bytes, so they will appear as one long line.
Entries that might contain credentials are all entries where the <code>'action'</code> is <code>'edit-folder'</code> or <code>'edit-host'</code>, and the <code>'diff_text'</code> contains any of the following strings:
LI: <code>Attribute "snmp_community"</code>
LI: <code>Value of "snmp_community"</code>
LI: <code>Attribute "management_snmp_community"</code>
LI: <code>Value of "management_snmp_community"</code>
LI: <code>Attribute "management_ipmi_credentials"</code>
LI: <code>Value of "management_ipmi_credentials"</code>
<em>Vulnerability Management</em>:
We have rated the issue with a CVSS Score of 5.1 Medium (<code>CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N</code>) and assigned <code>CVE-2024-38862</code>.
by Checkmk security werks and security announcements
Title: CSRF token leaked in URL parameters (CVE-2024-38863)
Class: security
Compatible: compat
Component: wato
Date: 1728280120
Edition: cre
Level: 1
Version: 2.2.0p35
Before this Werk, the CSRF token was mistakenly included as a query parameter in certain URLs when navigating Checkmk, which could result in the token being saved in bookmarks.
This increased the risk of unintentional exposure, such as when sharing bookmarks with other users.
The issue has been resolved.
While storing or unintentionally exposing the token doesn't present an immediate security threat, it could potentially enable phishing attacks targeting the specific user for the duration of the token's validity.
In Checkmk, CSRF tokens remain valid for the session's duration (configured under Global settings > Session management).
This issue was found during internal review.
<em>Affected Versions</em>:
LI: 2.3.0
LI: 2.2.0
LI: 2.1.0
<em>Mitigations</em>:
Avoid sharing or exposing URLs that contain the query parameter <code>csrf_token=</code>.
<em>Vulnerability Management</em>:
We have rated the issue with a CVSS Score of 2.0 Low (<code>CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:L/SA:L</code>) and assigned <code>CVE-2024-38863</code>.
by Checkmk security werks and security announcements
[//]: # (werk v2)
# Sanitize Host and Folder Credentials in Audit Log
key | value
---------- | ---
date | 2024-10-07T05:57:04+00:00
version | 2.3.0p18
class | security
edition | cre
component | wato
level | 1
compatible | no
Before this Werk, adding, changing, or removing SNMP and IMPI credentials in a host or folder's properties would log those credentials in the WATO audit log. Now, credentials are masked before being written to the log.
The affected logs, both via the rendering functionality in WATO as well as the files on the file system, are only accessible to authenticated users.
This issue was found during internal review.
*Affected Versions*:
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0 (EOL)
*Recommendations*:
We have marked this Werk incompatible because we recommend taking manual action:
Consider rotating affected credentials.
If that is not feasible, consider sanitizing the log files.
Also take into account that log files containing credentials might have been written to backups.
The affected log files can be found in `~/var/check_mk/wato/log`.
Note that entries in the files are not separated by newlines, but by null bytes, so they will appear as one long line.
Entries that might contain credentials are all entries where the `'action'` is `'edit-folder'` or `'edit-host'`, and the `'diff_text'` contains any of the following strings:
* `Attribute "snmp_community"`
* `Value of "snmp_community"`
* `Attribute "management_snmp_community"`
* `Value of "management_snmp_community"`
* `Attribute "management_ipmi_credentials"`
* `Value of "management_ipmi_credentials"`
*Vulnerability Management*:
We have rated the issue with a CVSS Score of 5.1 Medium (`CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N`) and assigned `CVE-2024-38862`.