Download

Werk #5208: Fix possibe information disclosure to unauthenticated users

Component User interface
Title Fix possibe information disclosure to unauthenticated users
Date Sep 25, 2017
Checkmk Edition Checkmk Raw (CRE)
Checkmk Version 1.2.8p26
Level Prominent Change
Class Security Fix
Compatibility Compatible - no manual interaction needed

In Check_MK versions it was possible to get information about the internal user database as unauthenticated user.

The latest oldstable version 1.2.8p25 of Check_MK is vulnerable to an unauthenticated information disclosure through a race condition during the authentication process when trying to authenticate with a valid username and an invalid password.

Check_MK 1.4 or newer is not affected by this issue.

The issue is caused by a logic that saves the number of failed logins for each user. During saving it could happen that parallel calls try to rename a non-exisiting file, which has just been renamed by a previous concurrent process. This causes the Check_MK GUI to fail and generate a crash report disclosing a variety of information, such as internal server paths and detailed user information.

The race condition causing this issue has been fixed with this werk.

This issue is currently identified with the ID: RCESEC-2017-001

To the list of all Werks

See it yourself

Try out Checkmk now.

Get the Raw Edition Free and open source monitoring
Play with Checkmk Try Checkmk without installing
Checkmk Conference #10

Join us for the highlight of the year when the Checkmk Community gets together in Munich from June 11-13.

Register now