[//]: # (werk v2)
# Fix XSS in confirmation pop-up
key | value
---------- | ---
date | 2024-06-10T10:40:28+00:00
version | 2.3.0p7
class | security
edition | cre
component | wato
level | 1
compatible | yes
Prior to this Werk, there was a potential for HTML elements from user inputs to be rendered in certain confirmation pop-ups, leading to an XSS vulnerability.
This vulnerability was identified during a commissioned penetration test conducted by PS Positive Security GmbH.
*Affected Versions*:
* 2.3.0
* 2.2.0
*Indicators of Compromise*:
Injected HTML elements in some specific user input fields with no proper escaping that are displayed in the confirmation pop-up.
*Vulnerability Management*:
We have rated the issue with a CVSS Score of 5.4 (Medium) with the following CVSS vector: `CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N`, and assigned `CVE-2024-28831`.
[//]: # (werk v2)
# Fix XSS in Crash Report Page
key | value
---------- | ---
date | 2024-06-06T13:17:36+00:00
version | 2.3.0p7
class | security
edition | cre
component | wato
level | 1
compatible | yes
Prior to this Werk, it was possible to inject HTML elements into Crash report
URL in the Global settings, leading to an `XSS` vulnerability in the Crash reports page.
This vulnerability was identified during a commissioned penetration test conducted by PS Positive Security GmbH.
*Affected Versions*:
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0 (EOL)
*Indicators of Compromise*:
Check the crash report HTTP URL in the Global settings for suspicious HTML elements.
*Vulnerability Management*:
We have rated the issue with a CVSS Score of 4.8 Medium with the following CVSS vector: `CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N`.
and assigned `CVE-2024-28832`.
[//]: # (werk v2)
# Fix XSS in confirmation pop-up
key | value
---------- | ---
date | 2024-06-10T10:40:28+00:00
version | 2.4.0b1
class | security
edition | cre
component | wato
level | 1
compatible | yes
Prior to this Werk, there was a potential for HTML elements from user inputs to be rendered in certain confirmation pop-ups, leading to an XSS vulnerability.
This vulnerability was identified during a commissioned penetration test conducted by PS Positive Security GmbH.
*Affected Versions*:
* 2.3.0
* 2.2.0
*Indicators of Compromise*:
Injected HTML elements in some specific user input fields with no proper escaping that are displayed in the confirmation pop-up.
*Vulnerability Management*:
We have rated the issue with a CVSS Score of 5.4 (Medium) with the following CVSS vector: `CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N`, and assigned `CVE-2024-28831`.
[//]: # (werk v2)
# Fix XSS in Crash Report Page
key | value
---------- | ---
date | 2024-06-06T13:17:36+00:00
version | 2.4.0b1
class | security
edition | cre
component | wato
level | 1
compatible | yes
Prior to this Werk, it was possible to inject HTML elements into Crash report
URL in the Global settings, leading to an `XSS` vulnerability in the Crash reports page.
This vulnerability was identified during a commissioned penetration test conducted by PS Positive Security GmbH.
*Affected Versions*:
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0 (EOL)
*Indicators of Compromise*:
Check the crash report HTTP URL in the Global settings for suspicious HTML elements.
*Vulnerability Management*:
We have rated the issue with a CVSS Score of 4.8 Medium with the following CVSS vector: `CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N`.
and assigned `CVE-2024-28832`.
Title: XSS in inventory tree
Class: security
Compatible: compat
Component: inv
Date: 1717744837
Edition: cre
Level: 1
Version: 2.1.0p45
Prior to this Werk an attacker with control over an agent was able to inject HTML in the output which was then rendered in the inventory tree of the coresponding host.
This problem exists only if the rule <em>Do hardware/software inventory</em> is set for the compromised agent/host.
We found this vulnerability internally.
<strong>Affected Versions:</strong>
LI: 2.3.0
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0
<strong>Mitigations</strong>:
If you are unable to patch you can disable inventory scanning for all hosts.
<strong>Indicators of Compromise:</strong>
You can check <code>var/check_mk/inventory/</code> for inventories with embedded HTML.
This only indicates current 'attacks'.
Previous attacks (where the agent does not output the payload anymore) are not discoverable after some time (caching).
<strong>Vulnerability Management:</strong>
We have rated the issue with a CVSS Score of 6.5 (Medium) with the following CVSS vector:
<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L</code>
We assigned CVE-2024-5741 to this vulnerability.
<strong>Changes:</strong>
This Werk adds sanitation to the HTML output.
Title: XSS in inventory tree
Class: security
Compatible: compat
Component: inv
Date: 1717744837
Edition: cre
Level: 1
Version: 2.2.0p28
Prior to this Werk an attacker with control over an agent was able to inject HTML in the output which was then rendered in the inventory tree of the coresponding host.
This problem exists only if the rule <em>Do hardware/software inventory</em> is set for the compromised agent/host.
We found this vulnerability internally.
<strong>Affected Versions:</strong>
LI: 2.3.0
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0
<strong>Mitigations</strong>:
If you are unable to patch you can disable inventory scanning for all hosts.
<strong>Indicators of Compromise:</strong>
You can check <code>var/check_mk/inventory/</code> for inventories with embedded HTML.
This only indicates current 'attacks'.
Previous attacks (where the agent does not output the payload anymore) are not discoverable after some time (caching).
<strong>Vulnerability Management:</strong>
We have rated the issue with a CVSS Score of 6.5 (Medium) with the following CVSS vector:
<code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L</code>
We assigned CVE-2024-5741 to this vulnerability.
<strong>Changes:</strong>
This Werk adds sanitation to the HTML output.
[//]: # (werk v2)
# XSS in inventory tree
key | value
---------- | ---
date | 2024-06-07T07:20:37+00:00
version | 2.3.0p7
class | security
edition | cre
component | inv
level | 1
compatible | yes
Prior to this Werk an attacker with control over an agent was able to inject HTML in the output which was then rendered in the inventory tree of the coresponding host.
This problem exists only if the rule *Do hardware/software inventory* is set for the compromised agent/host.
We found this vulnerability internally.
**Affected Versions:**
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0
**Mitigations**:
If you are unable to patch you can disable inventory scanning for all hosts.
**Indicators of Compromise:**
You can check `var/check_mk/inventory/` for inventories with embedded HTML.
This only indicates current 'attacks'.
Previous attacks (where the agent does not output the payload anymore) are not discoverable after some time (caching).
**Vulnerability Management:**
We have rated the issue with a CVSS Score of 6.5 (Medium) with the following CVSS vector:
`CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L`
We assigned CVE-2024-5741 to this vulnerability.
**Changes:**
This Werk adds sanitation to the HTML output.
[//]: # (werk v2)
# XSS in inventory tree
key | value
---------- | ---
date | 2024-06-07T07:20:37+00:00
version | 2.4.0b1
class | security
edition | cre
component | inv
level | 1
compatible | yes
Prior to this Werk an attacker with control over an agent was able to inject HTML in the output which was then rendered in the inventory tree of the coresponding host.
This problem exists only if the rule *Do hardware/software inventory* is set for the compromised agent/host.
We found this vulnerability internally.
**Affected Versions:**
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0
**Mitigations**:
If you are unable to patch you can disable inventory scanning for all hosts.
**Indicators of Compromise:**
You can check `var/check_mk/inventory/` for inventories with embedded HTML.
This only indicates current 'attacks'.
Previous attacks (where the agent does not output the payload anymore) are not discoverable after some time (caching).
**Vulnerability Management:**
We have rated the issue with a CVSS Score of 6.5 (Medium) with the following CVSS vector:
`CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L`
We assigned CVE-2024-5741 to this vulnerability.
**Changes:**
This Werk adds sanitation to the HTML output.
[//]: # (werk v2)
# Bruteforce protection for two factor authentication
key | value
---------- | ---
date | 2024-06-06T17:19:18+00:00
version | 2.3.0p6
class | security
edition | cre
component | core
level | 1
compatible | yes
Prior to this werk, Two Factor Authentication failures could not trigger account lockout. All three methods will now count towards failed login attempts against a user's account.
As a result, an attacker could try to brute-force and therefore bypass user's two factor protections without triggering the lockout mechanism.
This vulnerability was identified in a commissioned penetration test conducted by PS Positive Security GmbH.
*Affected Versions*:
* 2.3.0
*Indicators of Compromise*:
Failed two factor authentication attempts can be identified within a Checkmk site's security log file (~/var/log/security.log).
*Vulnerability Management*:
We have rated the issue with a CVSS Score of 5.9 (Medium) with the following CVSS vector: <code>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N</code>
and assigned CVE <code>CVE-2024-28833</code>.
[//]: # (werk v2)
# Bruteforce protection for two factor authentication
key | value
---------- | ---
date | 2024-06-06T17:19:18+00:00
version | 2.4.0b1
class | security
edition | cre
component | core
level | 1
compatible | yes
Prior to this werk, Two Factor Authentication failures could not trigger account lockout. All three methods will now count towards failed login attempts against a user's account.
As a result, an attacker could try to brute-force and therefore bypass user's two factor protections without triggering the lockout mechanism.
This vulnerability was identified in a commissioned penetration test conducted by PS Positive Security GmbH.
*Affected Versions*:
* 2.3.0
*Indicators of Compromise*:
Failed two factor authentication attempts can be identified within a Checkmk site's security log file (~/var/log/security.log).
*Vulnerability Management*:
We have rated the issue with a CVSS Score of 5.9 (Medium) with the following CVSS vector: <code>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N</code>
and assigned CVE <code>CVE-2024-28833</code>.