Werk #15181: Improper validation of LDAP user IDs
| Component | Setup |
| Title | Improper validation of LDAP user IDs |
| Date | Jan 11, 2023 |
| Checkmk Edition | Checkmk Raw (CRE) |
| Checkmk Version | 2.0.0p33 2.1.0p20 |
| Level | Trivial Change |
| Class | Security Fix |
| Compatibility | Compatible - no manual interaction needed |
Prior to this Werk user IDs synced from an LDAP connection were not properly sanitized. The allowed characters for LDAP users user IDs were not restricted in the same way as local user IDs.
As a result, malicious actors with the ability to change an LDAP user's uid attribute were able to, within limits, manipulate files on the server. For instance, attackers were able to override files in other users' var/check_mk/web folder, including the deletion of their stored two-factor credentials (thus disabling 2FA for the affected user). Additionally, attackers could also lock users out of their accounts by creating a 2FA-credentials file in the affected user's web folder.
However, it should be noted that to the best of our knowledge, attackers could not have impersonated other users or taken over their accounts directly.
This issue was discovered during internal review.
Affected Versions:
- 2.1.0 previous to this Werk
- 2.0.0 previous to this Werk
- 1.6.0 (EOL)
Mitigations:
Disable LDAP user synchronization.
Indicators of Compromise:
Inspect the list of users in WATO user management (Setup > Users) for suspicious user IDs from an LDAP connection.
Vulnerability Management:
We have rated the issue with a CVSS Score of 6.8 (Medium) with the following CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H.
We have assigned the CVE CVE-2023-0284
Changes:
This Werk adds sanitization to LDAP user IDs. We do not anticipate any negative impact on legitimate user IDs as the now-forbidden user IDs could not have been used in a functional way.
