Werk #14098: Fix ownership of debian maintainer scripts for shipped agent package

Component Agent bakery
Title Fix ownership of debian maintainer scripts for shipped agent package
Date Jun 13, 2022
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.2.0b1
Not yet released
Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0b1
Not yet released
Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0b1 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.1.0p3 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
2.0.0p26 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.6.0p29 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)

This issue affects users that deployed the shipped version of the Checkmk agent Debian package. Packages created by the agent bakery (enterprise editions only) were not affected.

Previous to this Werk a user with the UID 1001 on a monitored host could gain root privileges.

This was caused by wrong file ownership of the maintainer scripts located at /var/lib/dpkg/info: they were owned by the user and group with the ID 1001 instead of root. If such a user exists on your system, they can change the content of these files which are later executed by root (during package installation, update or removal), leading to a local privilege escalation on the monitored host.

To see if you are affected check the ownership of the files /var/lib/dpkg/info/check-mk-agent.* -- they should be owned by root and only writable by root.

If those files are not owned by root, you should perform the following steps before updating the agent:

  • Ensure they have not been tampered with.
  • Either immediately upgrade the agent or change the ownership of the files to root.root and the permissions to 755

To make sure the files have not been tampered with, you can check out the expected content in the "%pre", "%post" and "%preun" sections of this file (make sure to select the right Checkmk version in the dropdown choice that reads "master").

To get an idea of what the files should look like in the 2.1.0 version, you can also look at the checked in versions of the master branch here. Note that smaller deviations are no cause for concern.

This Werk fixes the CVE: CVE-2022-33912

To the list of all Werks