Werk #13897: Fix command injection vulnerability
Component | Notifications |
Title | Fix command injection vulnerability |
Date | Mar 31, 2022 |
Checkmk Edition | Checkmk Raw (CRE) |
Checkmk Version | 2.2.0b1 2.1.0b6 2.0.0p24 1.6.0p29 |
Level | Prominent Change |
Class | Security Fix |
Compatibility | Incompatible - Manual interaction might be required |
Previously to this Werk an attacker who could control certain notification variables such as NOTIFICATIONTYPE or HOSTNAME was able to inject commands to the fall-back mail command. The commands were then executed as site user.
With this werk the variable MAIL_COMMAND is no longer available in notification scripts.
You can reduce the risk of exploitation with disabling the listening of the notification spooler (the default is disabled) (CEE/CME only feature).
All maintained versions (>=1.6) are subject to this vulnerability. It is likely that also previous versions were vulnerable.
To detect possible exploitation var/log/mknotifyd.log and var/log/notify.log can be checked for special shell characters like && and odd quoting.