Werk #14385: Fix limited SSRF in agent-receiver API

Component Core & setup
Title Fix limited SSRF in agent-receiver API
Date Aug 30, 2022
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.2.0b1
Not yet released
Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0b1
Not yet released
Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0b1 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.1.0p12 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)

Prior to this Werk attackers could use the host registration API for Server Side Request Forgery.

An attacker would have been able to make the Checkmk server issue local requests to endpoints that should only be accessible from localhost. In order to exploit this vulnerability attackers would have needed the privileges to register hosts. This vulnerability was caused by insufficient sanitization of the hostname of the host to be registered.

We thank Stefan Schiller (SonarSource) for reporting this issue.

Affected Versions: 2.1

Mitigations: The affected API can be disabled using omd stop agent-receiver. Note however, that this makes it impossible to register new hosts.

Vulnerability Management: We have rated the issue with a CVSS Score of 5.0 (Medium) with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N. We have assigned CVE-2022-48321 for this issue.

Changes: This Werk adds validation for the hostname and ensures hostnames are escaped in requests to the REST API.

To the list of all Werks