Werk #14098: Fix ownership of debian maintainer scripts for shipped agent package

Komponente Agent bakery
Titel Fix ownership of debian maintainer scripts for shipped agent package
Datum 13.06.2022
Checkmk-Editon Checkmk Raw (CRE)
Checkmk-Version 2.1.0p3 2.0.0p26 1.6.0p29 2.2.0i1
Level Kleine Änderung
Klasse Sicherheitsfix
Kompatibilität Kompatibel - benötigt kein manuelles Eingreifen

This issue affects users that deployed the shipped version of the Checkmk agent Debian package. Packages created by the agent bakery (enterprise editions only) were not affected.

Previous to this Werk a user with the UID 1001 on a monitored host could gain root privileges.

This was caused by wrong file ownership of the maintainer scripts located at /var/lib/dpkg/info: they were owned by the user and group with the ID 1001 instead of root. If such a user exists on your system, they can change the content of these files which are later executed by root (during package installation, update or removal), leading to a local privilege escalation on the monitored host.

To see if you are affected check the ownership of the files /var/lib/dpkg/info/check-mk-agent.* -- they should be owned by root and only writable by root.

If those files are not owned by root, you should perform the following steps before updating the agent:

  • Ensure they have not been tampered with.
  • Either immediately upgrade the agent or change the ownership of the files to root.root and the permissions to 755

To make sure the files have not been tampered with, you can check out the expected content in the "%pre", "%post" and "%preun" sections of this file (make sure to select the right Checkmk version in the dropdown choice that reads "master").

To get an idea of what the files should look like in the 2.1.0 version, you can also look at the checked in versions of the master branch here. Note that smaller deviations are no cause for concern.

This Werk fixes the CVE: CVE-2022-33912

Zur Liste aller Werks