Werk #16226: Privilege escalation in Agent

Component Checks & agents
Title Privilege escalation in Agent
Date Dec 7, 2023
Level Prominent Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.3.0b1
Not yet released
Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0b1 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0p17 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)

In order to monitor livestatus from running sites on a host the Checkmk agent uses unixcat that is part of Checkmk. Since the binary is linked to libraries that are also part of Checkmk and may differ from the libraries of the operating system calling unixcat outside of the scope of a site could result to errors due to version mismatches in these libraries. To use the correct libraries in Checkmk 2.2.0p10 a fix was introduced to add the libraries from the site to the call in the agent. Since the lib folder within a site is writable by the site a rogue site could inject malicious libraries into the unixcat call from the agent that is executed as root leading to a privilege escalation.

We thank Jan-Philipp Litza for reporting this issue.

Affected Versions: * since 2.2.0p10

Vulnerability Management: We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. We assigned CVE-2023-31210 to this vulnerability.

Changes: This Werk changes the library path from the site to the version files, which are only root-writable.

To the list of all Werks