Werk #16232: mk_oracle(ps1): Prevent privilege esclation to root
| Komponente | Checks & agents |
| Titel | mk_oracle(ps1): Prevent privilege esclation to root |
| Datum | 17.01.2024 |
| Checkmk Edition | Checkmk Raw (CRE) |
| Checkmk-Version | 2.1.0p41 2.2.0p24 2.3.0b4 2.4.0b1 |
| Level | Grundlegende Änderung |
| Klasse | Sicherheitsfix |
| Kompatibilität | Kompatibel - benötigt kein manuelles Eingreifen |
The agent plugins mk_oracle, mk_oracle.ps1 and mk_oracle_crs were vulnerable to privilege escalation to root by the oracle user.
A malicious oracle user could replace a binary (e.g. sqlplus) with another script and put it in the corresponding directory. The script would be executed by the root user.
All binaries, which are called by the plugins, are now checked if they need to be executed as a non-root (non-administrator under Windows) user, preventing the privilege escalation. Affected binaries are: sqlplus, tnsping, crsctl.
Affected Versions
- 2.3.0 (beta)
- 2.2.0
- 2.1.0
- 2.0.0 (EOL) and older
Mitigations
If updating is not possible, disable the mk_oracle plugin.
Vulnerability Management
We have rated the issue with a CVSS score of 8.2 (High) with the following CVSS vector:
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
We have assigned CVE-2024-0638.
Changes
All called binaries are now executed in a safe way.
