Werk #16226: Privilege escalation in Agent
| Komponente | Checks & agents |
| Titel | Privilege escalation in Agent |
| Datum | 07.12.2023 |
| Checkmk Edition | Checkmk Raw (CRE) |
| Checkmk-Version | 2.2.0p17 2.3.0b1 |
| Level | Bedeutende Änderung |
| Klasse | Sicherheitsfix |
| Kompatibilität | Kompatibel - benötigt kein manuelles Eingreifen |
In order to monitor livestatus from running sites on a host the Checkmk agent uses unixcat that is part of Checkmk. Since the binary is linked to libraries that are also part of Checkmk and may differ from the libraries of the operating system calling unixcat outside of the scope of a site could result to errors due to version mismatches in these libraries. To use the correct libraries in Checkmk 2.2.0p10 a fix was introduced to add the libraries from the site to the call in the agent. Since the lib folder within a site is writable by the site a rogue site could inject malicious libraries into the unixcat call from the agent that is executed as root leading to a privilege escalation.
We thank Jan-Philipp Litza for reporting this issue.
Affected Versions: * since 2.2.0p10
Vulnerability Management: We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. We assigned CVE-2023-31210 to this vulnerability.
Changes: This Werk changes the library path from the site to the version files, which are only root-writable.
