Werk #14384: Fix command injection in livestatus query headers

Component Livestatus
Title Fix command injection in livestatus query headers
Date Aug 26, 2022
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.2.0b1
Not yet released
Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0b1
Not yet released
Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0b1 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.1.0p12 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
2.0.0p29 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)

Prior to this Werk it was possible to inject livestatus commands in Checkmk's livestatus wrapper and python API. Attackers could add additional commands in the AuthUser query header using newline characters. This allowed running arbitrary livestatus commands, including external commands to the core.

The issue could only be exploited by attackers from localhost, where the tampered header could be injected in a request to graph data.

We thank Stefan Schiller (SonarSource) for reporting this issue.

Affected Versions: All currently supported versions are affected: 1.6, 2.0, and 2.1.

Mitigations: Immediate mitigations are not available.

Indicators of Compromise: Review the logs of Nagios / CMC for suspicious commands.

Vulnerability Management: We have rated the issue with a CVSS Score of 6.8 (Medium) with the following CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L. We have assigned CVE-2022-47909 for this issue.

Changes: This Werk adds sanitization for the AuthUser header field.

To the list of all Werks