Werk #16361: Privilege escalation in Windows agent

Komponente Checks & agents
Titel Privilege escalation in Windows agent
Datum 26.02.2024
Level Kleine Änderung
Klasse Sicherheitsfix
Kompatibilität Kompatibel - benötigt kein manuelles Eingreifen
Checkmk versions & editions
2.4.0b1 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0b1 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0p23 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.1.0p40 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)

In order to execute some system commands Checkmk Windows agent writes cmd files to C:\Windows\Temp\ and afterwards executes them. The permissions of the files were set restrictive but existing files were not properly handled. If a cmd file already existed and was write protected the agent was not able to rewrite the file but did not handle this case and executed the file nevertheless.

We thank Michael Baer (SEC Consult Vulnerability Lab) for reporting this issue.

Affected Versions: * 2.2.0 * 2.1.0 * 2.0.0

Indicators of Compromise: The filename of the cmd file needed to be guessed therefore the proof-of-concept creates a lot of files in C\Windows\Temp with the filename cmk_all_\d+_1.cmd. These file-creation events could be monitored.

Vulnerability Management: We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. We assigned CVE-2024-0670 to this vulnerability.

Changes: This Werk changes the temp folder and adds a subfolder with more restrictive permissions in which the files are created. Also errors are handled better.

Zur Liste aller Werks