Werk #13897: Fix command injection vulnerability
| Komponente | Notifications |
| Titel | Fix command injection vulnerability |
| Datum | 31.03.2022 |
| Checkmk Edition | Checkmk Raw (CRE) |
| Checkmk-Version | 1.6.0p29 2.0.0p24 2.1.0b6 2.2.0b1 |
| Level | Bedeutende Änderung |
| Klasse | Sicherheitsfix |
| Kompatibilität | Inkompatibel - Manuelle Interaktion könnte erforderlich sein |
Previously to this Werk an attacker who could control certain notification variables such as NOTIFICATIONTYPE or HOSTNAME was able to inject commands to the fall-back mail command. The commands were then executed as site user.
With this werk the variable MAIL_COMMAND is no longer available in notification scripts.
You can reduce the risk of exploitation with disabling the listening of the notification spooler (the default is disabled) (CEE/CME only feature).
All maintained versions (>=1.6) are subject to this vulnerability. It is likely that also previous versions were vulnerable.
To detect possible exploitation var/log/mknotifyd.log and var/log/notify.log can be checked for special shell characters like && and odd quoting.
