Werk #16232: mk_oracle(ps1): Prevent privilege esclation to root

Component Checks & agents
Title mk_oracle(ps1): Prevent privilege esclation to root
Date Jan 17, 2024
Level Major Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.4.0b1 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0b4 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0p24 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.1.0p41 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)

The agent plugins mk_oracle, mk_oracle.ps1 and mk_oracle_crs were vulnerable to privilege escalation to root by the oracle user.

A malicious oracle user could replace a binary (e.g. sqlplus) with another script and put it in the corresponding directory. The script would be executed by the root user.

All binaries, which are called by the plugins, are now checked if they need to be executed as a non-root (non-administrator under Windows) user, preventing the privilege escalation. Affected binaries are: sqlplus, tnsping, crsctl.

Affected Versions

  • 2.3.0 (beta)
  • 2.2.0
  • 2.1.0
  • 2.0.0 (EOL) and older

Mitigations

If updating is not possible, disable the mk_oracle plugin.

Vulnerability Management

We have rated the issue with a CVSS score of 8.2 (High) with the following CVSS vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

We have assigned CVE-2024-0638.

Changes

All called binaries are now executed in a safe way.

To the list of all Werks