Checkmk werks security August 2024

checkmk-werks-sec@lists.checkmk.com

1 participants
17 discussions

[2.4.0] Checkmk Werk 17148 created: Persist known host keys for checks that use SSH

by Checkmk security werks

[//]: # (werk v2) # Persist known host keys for checks that use SSH key | value ---------- | --- date | 2024-08-26T08:56:04+00:00 version | 2.4.0b1 class | security edition | cre component | checks level | 1 compatible | yes When using the special agent *VNX quotas and filesystems* or the active check *Check SFTP Service* the host keys were not properly checked. If an attacker would get into a machine-in-the-middle position he could intercept the connection and retrieve information e.g. passwords. As of this Werk the host key check is properly done. In order to store known host keys a regular `known_hosts` file is used that is stored in `/omd/sites/$SITENAME/.ssh/known_hosts`. If a host key changes an error is now raised that requires manual edit of this file. This issue was found during internal review. *Affected Versions*: * 2.3.0 * 2.2.0 * 2.1.0 * 2.0.0 (EOL) *Vulnerability Management*: We have rated the issue with a CVSS Score of 6.3 Medium CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N and assigned CVE-2024-6572.

2 weeks, 6 days

[2.4.0] Checkmk Werk 17026 created: Fix XSS in view page with SLA column

by Checkmk security werks

[//]: # (werk v2) # Fix XSS in view page with SLA column key | value ---------- | --- date | 2024-08-15T12:15:13+00:00 version | 2.4.0b1 class | security edition | cee component | wato level | 1 compatible | yes Prior to this werk, the SLA (Service Level Agreement) titles were being rendered as HTML in the view page without proper escaping, leading to a potential XSS vulnerability. **Affected Versions**: * 2.3.0 * 2.2.0 * 2.1.0 * 2.0.0 (EOL) **Indicators of Compromise**: Cloning the view page of untrusted users who have injected HTML into the SLA titles. **Vulnerability Management**: We have rated the issue with a CVSS score of 4.8 (medium) with the following CVSS vector: `CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N`, and assigned `CVE-2024-38859`.

2 weeks, 6 days

[2.4.0] Checkmk Werk 16615 adapted: Remove websphere_mq plugin

by Checkmk security werks

Werk 16615 was adapted. The following is the new Werk, a diff is shown at the end of the message. [//]: # (werk v2) # Remove websphere_mq plugin key | value ---------- | --- date | 2024-03-11T11:09:48+00:00 version | 2.4.0b1 class | security edition | cre component | checks level | 1 compatible | no With this Werk the `websphere_mq` plugin is removed for security reasons. In this plugin the output of `ps` is used to determine an argument for `runmqsc`. This meant that anybody who can launch processes with an arbitrary command line could manipulate one argument to `runmqsc`. The plugin was already superseded by the agent plugin `ibm_mq` and deprecated with Werk [10752](https://checkmk.com/werk/10752) and version 2.0.0. Since this plugin is already deprecated and it was not configurable via the *agent bakery* we assumed that this plugin is not frequently used. Therefore we decided to not fix the issue but to push the removal. We found this vulnerability internally. __Affected versions__: * 2.3.0 * 2.2.0 * 2.1.0 * 2.0.0 __Mitigations__: Migrate to the `ibm_mq` plugin. __Vulnerability Management__: We have rated the issue with a CVSS Score of 6.5 (Medium) with the following CVSS vector: `CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N`. We assigned CVE-2024-3367 to this vulnerability. __Changes__: The plugin was removed. ------------------------------------<diff>------------------------------------------- [//]: # (werk v2) # Remove websphere_mq plugin key | value ---------- | --- date | 2024-03-11T11:09:48+00:00 version | 2.4.0b1 class | security edition | cre component | checks level | 1 - compatible | yes ? ^^^ + compatible | no ? ^^ With this Werk the `websphere_mq` plugin is removed for security reasons. In this plugin the output of `ps` is used to determine an argument for `runmqsc`. This meant that anybody who can launch processes with an arbitrary command line could manipulate one argument to `runmqsc`. The plugin was already superseded by the agent plugin `ibm_mq` and deprecated with Werk [10752](https://checkmk.com/werk/10752) and version 2.0.0. Since this plugin is already deprecated and it was not configurable via the *agent bakery* we assumed that this plugin is not frequently used. Therefore we decided to not fix the issue but to push the removal. We found this vulnerability internally. __Affected versions__: * 2.3.0 * 2.2.0 * 2.1.0 * 2.0.0 __Mitigations__: Migrate to the `ibm_mq` plugin. __Vulnerability Management__: We have rated the issue with a CVSS Score of 6.5 (Medium) with the following CVSS vector: `CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N`. We assigned CVE-2024-3367 to this vulnerability. __Changes__: The plugin was removed.

3 weeks

[2.4.0] Checkmk Werk 17056 created: Don't show automation secret in the audit log (addresses CVE-2024-28830)

by Checkmk security werks

[//]: # (werk v2) # Don't show automation secret in the audit log (addresses CVE-2024-28830) key | value ---------- | --- date | 2024-06-19T12:10:00+00:00 version | 2.4.0b1 class | security edition | cre component | wato level | 2 compatible | no By default only admin users are able to see the audit log. Guests and normal monitoring users do not have acces to the audit log. Werk #13330 already fixed a problem where passwords were shown in the audit log. This werk now addresses the problem, that still automation secrets of automation user were logged in clear text to the audit log, e.g. on change of the automation secret via REST-API or the user interface. Existing automation secrets in the audit log should be removed automatically during the update but please double check that no automation secrets remain in the log (see next paragraph for details). A backup of the original audit log (before automation secrets were removed) is copied to "~/var/check_mk/wato/log/sanitize_backup". If anything goes wrong during the update, you have to copy the files back to ~var/check_mk/wato/log and remove the automation secrets manually. If the update works as expected, you can remove the backup files. In distributed setups which do not replicate the configuration, automation secrets are replaced during the update of each site. In setups which replicate the configuration from central to remote sites no automation secrets should be present in the logs of the remote site, since only information about the activation is logged. Only if you switched to a replicated setup after the upgrade to the 2.0, automation secrets can be present in the logs. Since automation secrets may be in this scenario as well, the steps described before also apply. *Affected Versions*: * 2.3.0 * 2.2.0 * 2.1.0 * 2.0.0 (EOL) *Mitigations*: Remove automation secrets manually within the files located in ~var/check_mk/wato/log. *Vulnerability Management*: We have rated the issue with a CVSS Score of <2.7 (Low)> with the following CVSS vector: `CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N` and assigned CVE `CVE-2024-28830`.

3 weeks

[2.4.0] Checkmk Werk 16249 created: mk_informix: Follow up for Werk 16198

by Checkmk security werks

[//]: # (werk v2) # mk_informix: Follow up for Werk 16198 key | value ---------- | --- date | 2024-07-26T07:18:38+00:00 version | 2.4.0b1 class | security edition | cre component | checks level | 1 compatible | yes [Werk #16198](https://checkmk.com/werk/16198) addressed potential priviledge escalation by the agent plugin `mk_informix`. However, a few callsites to the binaries `dbaccess` and `onstat` where missing the safe execution. Those binaries are now also called in a safe way. Vulnerability Management: We have rated the issue with a CVSS Score of 5.2 (Medium) with the following CVSS vector: <code>CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H</code> and assigned CVE <code>CVE-2024-28829</code>.

3 weeks

[2.1.0] Checkmk Werk 13900 adapted: Update Pillow and Paramiko

by Checkmk security werks

Werk 13900 was adapted. The following is the new Werk, a diff is shown at the end of the message. Title: Update Pillow and Paramiko Class: security Compatible: compat Component: core Date: 1650872232 Edition: cre Knowledge: doc Level: 1 State: unknown Version: 2.1.0b6 This updates paramiko to 2.3.10 and Pillow to 9.1.0. These new versions include fixes for these CVEs: LI: CVE-2022-24302 LI: CVE-2022-22817 LI: CVE-2022-22816 LI: CVE-2022-22815 LI: CVE-2022-24303 ------------------------------------<diff>------------------------------------------- Title: Update Pillow and Paramiko Class: security Compatible: compat Component: core Date: 1650872232 Edition: cre Knowledge: doc Level: 1 State: unknown - Version: 2.1.0b7 ? ^ + Version: 2.1.0b6 ? ^ This updates paramiko to 2.3.10 and Pillow to 9.1.0. These new versions include fixes for these CVEs: LI: CVE-2022-24302 LI: CVE-2022-22817 LI: CVE-2022-22816 LI: CVE-2022-22815 LI: CVE-2022-24303

1 month, 2 weeks

[2.2.0] Checkmk Werk 15194 adapted: Fix command injection via RestAPI / Password Store

by Checkmk security werks

Werk 15194 was adapted. The following is the new Werk, a diff is shown at the end of the message. Title: Fix command injection via RestAPI / Password Store Class: security Compatible: compat Component: core Date: 1690985970 Edition: cre Knowledge: doc Level: 1 State: unknown Version: 2.2.0p8 Prior to this Werk, users with the permissions to (a) use the RestAPI, (b) create passwords in the password store, and (c) create active checks were able to run arbitrary commands on the site. This issue was found during internal code review. Affected Versions: LI: 2.0.0 LI: 2.1.0 LI: 2.2.0 prior to version 2.2.0p4 Note that at the point of publishing this Werk and fix, the current version 2.2.0 was already not affected by this issue anymore, as the issue was already mitigated by Werk #15889. Indicators of Compromise: Check the password store for passwords with unusual identifiers, review add-password events in the audit log. Vulnerability Management: We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector: <tt>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H</tt>. We have assigned CVE <tt>CVE-2023-31209</tt>. Changes: This Werk adds proper sanitization of the affected parameter on core commands. ------------------------------------<diff>------------------------------------------- Title: Fix command injection via RestAPI / Password Store Class: security Compatible: compat Component: core Date: 1690985970 Edition: cre Knowledge: doc Level: 1 State: unknown - Version: 2.2.0p4 ? ^ + Version: 2.2.0p8 ? ^ Prior to this Werk, users with the permissions to (a) use the RestAPI, (b) create passwords in the password store, and (c) create active checks were able to run arbitrary commands on the site. This issue was found during internal code review. Affected Versions: LI: 2.0.0 LI: 2.1.0 LI: 2.2.0 prior to version 2.2.0p4 Note that at the point of publishing this Werk and fix, the current version 2.2.0 was already not affected by this issue anymore, as the issue was already mitigated by Werk #15889. Indicators of Compromise: Check the password store for passwords with unusual identifiers, review add-password events in the audit log. Vulnerability Management: We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector: <tt>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H</tt>. We have assigned CVE <tt>CVE-2023-31209</tt>. Changes: This Werk adds proper sanitization of the affected parameter on core commands. -

1 month, 2 weeks

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

Checkmk werks security August 2024