Download

Werk #16232: mk_oracle(ps1): Prevent privilege esclation to root

Component Checks & agents
Title mk_oracle(ps1): Prevent privilege esclation to root
Date Jan 17, 2024
Checkmk Edition Checkmk Raw (CRE)
Checkmk Version 2.1.0p41 2.2.0p24 2.3.0b4 2.4.0b1
Level Major Change
Class Security Fix
Compatibility Compatible - no manual interaction needed

The agent plugins mk_oracle, mk_oracle.ps1 and mk_oracle_crs were vulnerable to privilege escalation to root by the oracle user.

A malicious oracle user could replace a binary (e.g. sqlplus) with another script and put it in the corresponding directory. The script would be executed by the root user.

All binaries, which are called by the plugins, are now checked if they need to be executed as a non-root (non-administrator under Windows) user, preventing the privilege escalation. Affected binaries are: sqlplus, tnsping, crsctl.

Affected Versions

  • 2.3.0 (beta)
  • 2.2.0
  • 2.1.0
  • 2.0.0 (EOL) and older

Mitigations

If updating is not possible, disable the mk_oracle plugin.

Vulnerability Management

We have rated the issue with a CVSS score of 8.2 (High) with the following CVSS vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

We have assigned CVE-2024-0638.

Changes

All called binaries are now executed in a safe way.

To the list of all Werks

See it yourself

Try out Checkmk now.

Get the Raw Edition Free and open source monitoring
Play with Checkmk Try Checkmk without installing
Checkmk Conference #10

Join us for the highlight of the year when the Checkmk Community gets together in Munich from June 11-13.

Register now