Werk #15200: Restrict check_sftp local paths

Component Checks & agents
Title Restrict check_sftp local paths
Date May 16, 2024
Level Trivial Change
Class Security Fix
Compatibility Incompatible - Manual interaction might be required
Checkmk versions & editions
2.4.0b1
Not yet released
Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0p4 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0p27 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.1.0p44 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)

Prior to this Werk, check_sftp did not restrict the local paths that for files to be uploaded and downloaded. This allowed users with the permissions to configure check_sftp to read or write files within the Checkmk site home.

The local paths are now restricted to the folder var/check_mk/active_checks/check_sftp within the Checkmk site home. As a consequence, the local paths in existing configurations will now be interpreted as relative to that folder. Since a test file is created if the local file to upload doesn't exist, the check will continue to work, but it will not pick up files from the old location. Similarly, the downloaded files will be stored in a new location.

This issue was found during internal review.

If you want a hot-fix in existing versions and are not using check_sftp, you can remove the executable (/omd/sites/[SITE_ID]/lib/nagios/plugins/check_sftp) from your installation.

Affected Versions:

  • 2.3.0
  • 2.2.0
  • 2.1.0
  • 2.0.0 (EOL)

Vulnerability Management:

We have rated the issue with a CVSS Score of 8.8 High with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H and assigned CVE CVE-2024-28826.

To the list of all Werks