Werk #17148: Persist known host keys for checks that use SSH
| Komponente | Checks & agents | ||||||||
| Titel | Persist known host keys for checks that use SSH | ||||||||
| Datum | 26.08.2024 | ||||||||
| Level | Kleine Änderung | ||||||||
| Klasse | Sicherheitsfix | ||||||||
| Kompatibilität | Kompatibel - benötigt kein manuelles Eingreifen | ||||||||
| Checkmk versions & editions |
|
When using the special agent VNX quotas and filesystems or the active check Check SFTP Service the host keys were not properly checked.
If an attacker would get into a machine-in-the-middle position he could intercept the connection and retrieve information e.g. passwords.
As of this Werk the host key check is properly done.
In order to store known host keys a regular known_hosts file is used that is stored in /omd/sites/$SITENAME/.ssh/known_hosts.
If a host key changes an error is now raised that requires manual edit of this file.
This issue was found during internal review.
Affected Versions:
- 2.3.0
- 2.2.0
- 2.1.0
- 2.0.0 (EOL)
Vulnerability Management:
We have rated the issue with a CVSS Score of 6.3 Medium CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N and assigned CVE-2024-6572.