Checkmk werks security June 2024

checkmk-werks-sec@lists.checkmk.com

1 participants
34 discussions

[2.3.0] Checkmk Werk 17025 created: Fix XSS in confirmation pop-up

by Checkmk security werks

[//]: # (werk v2) # Fix XSS in confirmation pop-up key | value ---------- | --- date | 2024-06-10T10:40:28+00:00 version | 2.3.0p7 class | security edition | cre component | wato level | 1 compatible | yes Prior to this Werk, there was a potential for HTML elements from user inputs to be rendered in certain confirmation pop-ups, leading to an XSS vulnerability. This vulnerability was identified during a commissioned penetration test conducted by PS Positive Security GmbH. *Affected Versions*: * 2.3.0 * 2.2.0 *Indicators of Compromise*: Injected HTML elements in some specific user input fields with no proper escaping that are displayed in the confirmation pop-up. *Vulnerability Management*: We have rated the issue with a CVSS Score of 5.4 (Medium) with the following CVSS vector: `CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N`, and assigned `CVE-2024-28831`.

3 months, 4 weeks

[2.3.0] Checkmk Werk 17024 created: Fix XSS in Crash Report Page

by Checkmk security werks

[//]: # (werk v2) # Fix XSS in Crash Report Page key | value ---------- | --- date | 2024-06-06T13:17:36+00:00 version | 2.3.0p7 class | security edition | cre component | wato level | 1 compatible | yes Prior to this Werk, it was possible to inject HTML elements into Crash report URL in the Global settings, leading to an `XSS` vulnerability in the Crash reports page. This vulnerability was identified during a commissioned penetration test conducted by PS Positive Security GmbH. *Affected Versions*: * 2.3.0 * 2.2.0 * 2.1.0 * 2.0.0 (EOL) *Indicators of Compromise*: Check the crash report HTTP URL in the Global settings for suspicious HTML elements. *Vulnerability Management*: We have rated the issue with a CVSS Score of 4.8 Medium with the following CVSS vector: `CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N`. and assigned `CVE-2024-28832`.

3 months, 4 weeks

[2.4.0] Checkmk Werk 17025 created: Fix XSS in confirmation pop-up

by Checkmk security werks

[//]: # (werk v2) # Fix XSS in confirmation pop-up key | value ---------- | --- date | 2024-06-10T10:40:28+00:00 version | 2.4.0b1 class | security edition | cre component | wato level | 1 compatible | yes Prior to this Werk, there was a potential for HTML elements from user inputs to be rendered in certain confirmation pop-ups, leading to an XSS vulnerability. This vulnerability was identified during a commissioned penetration test conducted by PS Positive Security GmbH. *Affected Versions*: * 2.3.0 * 2.2.0 *Indicators of Compromise*: Injected HTML elements in some specific user input fields with no proper escaping that are displayed in the confirmation pop-up. *Vulnerability Management*: We have rated the issue with a CVSS Score of 5.4 (Medium) with the following CVSS vector: `CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N`, and assigned `CVE-2024-28831`.

3 months, 4 weeks

[2.4.0] Checkmk Werk 17024 created: Fix XSS in Crash Report Page

by Checkmk security werks

[//]: # (werk v2) # Fix XSS in Crash Report Page key | value ---------- | --- date | 2024-06-06T13:17:36+00:00 version | 2.4.0b1 class | security edition | cre component | wato level | 1 compatible | yes Prior to this Werk, it was possible to inject HTML elements into Crash report URL in the Global settings, leading to an `XSS` vulnerability in the Crash reports page. This vulnerability was identified during a commissioned penetration test conducted by PS Positive Security GmbH. *Affected Versions*: * 2.3.0 * 2.2.0 * 2.1.0 * 2.0.0 (EOL) *Indicators of Compromise*: Check the crash report HTTP URL in the Global settings for suspicious HTML elements. *Vulnerability Management*: We have rated the issue with a CVSS Score of 4.8 Medium with the following CVSS vector: `CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N`. and assigned `CVE-2024-28832`.

3 months, 4 weeks

[2.1.0] Checkmk Werk 17009 created: XSS in inventory tree

by Checkmk security werks

Title: XSS in inventory tree Class: security Compatible: compat Component: inv Date: 1717744837 Edition: cre Level: 1 Version: 2.1.0p45 Prior to this Werk an attacker with control over an agent was able to inject HTML in the output which was then rendered in the inventory tree of the coresponding host. This problem exists only if the rule Do hardware/software inventory is set for the compromised agent/host. We found this vulnerability internally. Affected Versions: LI: 2.3.0 LI: 2.2.0 LI: 2.1.0 LI: 2.0.0 Mitigations: If you are unable to patch you can disable inventory scanning for all hosts. Indicators of Compromise: You can check <code>var/check_mk/inventory/</code> for inventories with embedded HTML. This only indicates current 'attacks'. Previous attacks (where the agent does not output the payload anymore) are not discoverable after some time (caching). Vulnerability Management: We have rated the issue with a CVSS Score of 6.5 (Medium) with the following CVSS vector: <code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L</code> We assigned CVE-2024-5741 to this vulnerability. Changes: This Werk adds sanitation to the HTML output.

4 months

[2.2.0] Checkmk Werk 17009 created: XSS in inventory tree

by Checkmk security werks

Title: XSS in inventory tree Class: security Compatible: compat Component: inv Date: 1717744837 Edition: cre Level: 1 Version: 2.2.0p28 Prior to this Werk an attacker with control over an agent was able to inject HTML in the output which was then rendered in the inventory tree of the coresponding host. This problem exists only if the rule Do hardware/software inventory is set for the compromised agent/host. We found this vulnerability internally. Affected Versions: LI: 2.3.0 LI: 2.2.0 LI: 2.1.0 LI: 2.0.0 Mitigations: If you are unable to patch you can disable inventory scanning for all hosts. Indicators of Compromise: You can check <code>var/check_mk/inventory/</code> for inventories with embedded HTML. This only indicates current 'attacks'. Previous attacks (where the agent does not output the payload anymore) are not discoverable after some time (caching). Vulnerability Management: We have rated the issue with a CVSS Score of 6.5 (Medium) with the following CVSS vector: <code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L</code> We assigned CVE-2024-5741 to this vulnerability. Changes: This Werk adds sanitation to the HTML output.

4 months

[2.3.0] Checkmk Werk 17009 created: XSS in inventory tree

by Checkmk security werks

[//]: # (werk v2) # XSS in inventory tree key | value ---------- | --- date | 2024-06-07T07:20:37+00:00 version | 2.3.0p7 class | security edition | cre component | inv level | 1 compatible | yes Prior to this Werk an attacker with control over an agent was able to inject HTML in the output which was then rendered in the inventory tree of the coresponding host. This problem exists only if the rule *Do hardware/software inventory* is set for the compromised agent/host. We found this vulnerability internally. **Affected Versions:** * 2.3.0 * 2.2.0 * 2.1.0 * 2.0.0 **Mitigations**: If you are unable to patch you can disable inventory scanning for all hosts. **Indicators of Compromise:** You can check `var/check_mk/inventory/` for inventories with embedded HTML. This only indicates current 'attacks'. Previous attacks (where the agent does not output the payload anymore) are not discoverable after some time (caching). **Vulnerability Management:** We have rated the issue with a CVSS Score of 6.5 (Medium) with the following CVSS vector: `CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L` We assigned CVE-2024-5741 to this vulnerability. **Changes:** This Werk adds sanitation to the HTML output.

4 months

[2.4.0] Checkmk Werk 17009 created: XSS in inventory tree

by Checkmk security werks

[//]: # (werk v2) # XSS in inventory tree key | value ---------- | --- date | 2024-06-07T07:20:37+00:00 version | 2.4.0b1 class | security edition | cre component | inv level | 1 compatible | yes Prior to this Werk an attacker with control over an agent was able to inject HTML in the output which was then rendered in the inventory tree of the coresponding host. This problem exists only if the rule *Do hardware/software inventory* is set for the compromised agent/host. We found this vulnerability internally. **Affected Versions:** * 2.3.0 * 2.2.0 * 2.1.0 * 2.0.0 **Mitigations**: If you are unable to patch you can disable inventory scanning for all hosts. **Indicators of Compromise:** You can check `var/check_mk/inventory/` for inventories with embedded HTML. This only indicates current 'attacks'. Previous attacks (where the agent does not output the payload anymore) are not discoverable after some time (caching). **Vulnerability Management:** We have rated the issue with a CVSS Score of 6.5 (Medium) with the following CVSS vector: `CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L` We assigned CVE-2024-5741 to this vulnerability. **Changes:** This Werk adds sanitation to the HTML output.

4 months

[2.3.0] Checkmk Werk 16830 created: Bruteforce protection for two factor authentication

by Checkmk security werks

[//]: # (werk v2) # Bruteforce protection for two factor authentication key | value ---------- | --- date | 2024-06-06T17:19:18+00:00 version | 2.3.0p6 class | security edition | cre component | core level | 1 compatible | yes Prior to this werk, Two Factor Authentication failures could not trigger account lockout. All three methods will now count towards failed login attempts against a user's account. As a result, an attacker could try to brute-force and therefore bypass user's two factor protections without triggering the lockout mechanism. This vulnerability was identified in a commissioned penetration test conducted by PS Positive Security GmbH. *Affected Versions*: * 2.3.0 *Indicators of Compromise*: Failed two factor authentication attempts can be identified within a Checkmk site's security log file (~/var/log/security.log). *Vulnerability Management*: We have rated the issue with a CVSS Score of 5.9 (Medium) with the following CVSS vector: <code>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N</code> and assigned CVE <code>CVE-2024-28833</code>.

4 months, 1 week

[2.4.0] Checkmk Werk 16830 created: Bruteforce protection for two factor authentication

by Checkmk security werks

[//]: # (werk v2) # Bruteforce protection for two factor authentication key | value ---------- | --- date | 2024-06-06T17:19:18+00:00 version | 2.4.0b1 class | security edition | cre component | core level | 1 compatible | yes Prior to this werk, Two Factor Authentication failures could not trigger account lockout. All three methods will now count towards failed login attempts against a user's account. As a result, an attacker could try to brute-force and therefore bypass user's two factor protections without triggering the lockout mechanism. This vulnerability was identified in a commissioned penetration test conducted by PS Positive Security GmbH. *Affected Versions*: * 2.3.0 *Indicators of Compromise*: Failed two factor authentication attempts can be identified within a Checkmk site's security log file (~/var/log/security.log). *Vulnerability Management*: We have rated the issue with a CVSS Score of 5.9 (Medium) with the following CVSS vector: <code>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N</code> and assigned CVE <code>CVE-2024-28833</code>.

4 months, 1 week

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

Checkmk werks security June 2024