Werk #13897: Fix command injection vulnerability

Komponente Notifications
Titel Fix command injection vulnerability
Datum 31.03.2022
Checkmk-Editon Checkmk Raw (CRE)
Checkmk-Version 2.2.0i1 2.1.0b6 2.0.0p24 1.6.0p29
Level Bedeutende Änderung
Klasse Sicherheitsfix
Kompatibilität Inkompatibel - Manuelle Interaktion könnte erforderlich sein

Previously to this Werk an attacker who could control certain notification variables such as NOTIFICATIONTYPE or HOSTNAME was able to inject commands to the fall-back mail command. The commands were then executed as site user.

With this werk the variable MAIL_COMMAND is no longer available in notification scripts.

You can reduce the risk of exploitation with disabling the listening of the notification spooler (the default is disabled) (CEE/CME only feature).

All maintained versions (>=1.6) are subject to this vulnerability. It is likely that also previous versions were vulnerable.

To detect possible exploitation var/log/mknotifyd.log and var/log/notify.log can be checked for special shell characters like && and odd quoting.

Zur Liste aller Werks