Werk #13897: Fix command injection vulnerability
|Title||Fix command injection vulnerability|
|Date||Mar 31, 2022|
|Checkmk Editon||Checkmk Raw (CRE)|
|Checkmk Version||2.2.0i1 2.1.0b6 2.0.0p24 1.6.0p29|
|Compatibility||Incompatible - Manual interaction might be required|
Previously to this Werk an attacker who could control certain notification variables such as NOTIFICATIONTYPE or HOSTNAME was able to inject commands to the fall-back mail command. The commands were then executed as site user.
With this werk the variable MAIL_COMMAND is no longer available in notification scripts.
You can reduce the risk of exploitation with disabling the listening of the notification spooler (the default is disabled) (CEE/CME only feature).
All maintained versions (>=1.6) are subject to this vulnerability. It is likely that also previous versions were vulnerable.
To detect possible exploitation var/log/mknotifyd.log and var/log/notify.log can be checked for special shell characters like && and odd quoting.