We use cookies to ensure that we give you the best experience on our website.  Visit our Privacy Policy to learn more. If you continue to use this site, we will assume that you are okay with it.

Your choices regarding cookies on this site.
Your preferences have been updated.
In order for the changes to take effect completely please clear your browser cookies and cache. Then reload the page.

Checkmk Conference #6 is coming! Regular sale ends in . Get your tickets here!

Werk #0984: Fix code injection for logged in users via automation url

ComponentWATO
TitleFix code injection for logged in users via automation url
Date2014-05-27 15:01:17
Checkmk EditionCheckmk Raw Edition (CRE)
Checkmk Version1.2.5i4
LevelProminent Change
ClassSecurity Fix
CompatibilityIncompatible - Manual interaction might be required

This fixes CVSS 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C. The description:

The check_mk applications uses insecure API calls, which allow an attacker to execute arbitrary code on the server by issuing just a single URL. The reason for this is the usage of the insecure "pickle" API call. Apparently this was modified as a security means from a former version, which used "eval"-like structures with untrusted input data. Anyhow, as the python API documentation clearly state, "pickle" should be considered unsafe as well, see: https://docs.python.org/2/library/pickle.html.

The fix replaces pickle with a module called ast. Unfortunately this module is not available on Centos/RedHat 5.X and Debian 5. On these systems WATO still uses pickle, even with this fix.

Note: This change makes the current Check_MK versions incompatible to older versions. In a mixed environment with old and new Check_MK versions or with old and newer Python versions you have to force WATO to use the old unsafe method by setting wato_legacy_eval = True in multisite.mk. This can also be done with the new global WATO setting Use unsafe legacy encoding for distributed WATO.