Werk #14383: Fix code injection in watolib

Component Setup
Title Fix code injection in watolib
Date Aug 24, 2022
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.2.0b1
Not yet released
Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0b1
Not yet released
Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0b1 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.1.0p11 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
2.0.0p28 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.6.0p30 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)

This Werk fixes a code injection vulnerability in watolib.

Prior to this Werk it was possible for authenticated users to inject PHP code in files generated by Wato for NagVis integration. The code would be executed once a request to the respective NagVis component is made.

The underlying reason for this issue was that user data entered in Wato was not properly sanitized when writing to the PHP file.

We thank Stefan Schiller (SonarSource) for reporting this issue.

Affected Versions: All currently supported versions are affected: 1.6, 2.0, and 2.1.

Mitigations: As an immediate mitigation you can entirely disable PHP on your server. Note that NagVis will not work anymore without PHP.

Indicators of Compromise: Malicious code is injected in either of the files var/check_mk/wato/auth/auth.php or var/check_mk/wato/php-api/hosttags.php. Check these files for suspicious code.

Vulnerability Management: We have rated the issue with a CVSS Score of 9.1 (Critical) with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L. We have assigned CVE-2022-46836 for this issue.

Changes: This Werk fixes the vulnerability by improving sanitization.

To the list of all Werks