Werk #17095: Sanitize Host and Folder Credentials in Audit Log
Component | Setup | ||||||||
Title | Sanitize Host and Folder Credentials in Audit Log | ||||||||
Date | Oct 7, 2024 | ||||||||
Level | Trivial Change | ||||||||
Class | Security Fix | ||||||||
Compatibility | Incompatible - Manual interaction might be required | ||||||||
Checkmk versions & editions |
|
Before this Werk, adding, changing, or removing SNMP and IMPI credentials in a host or folder's properties would log those credentials in the WATO audit log. Now, credentials are masked before being written to the log.
The affected logs, both via the rendering functionality in WATO as well as the files on the file system, are only accessible to authenticated users.
This issue was found during internal review.
Affected Versions:
- 2.3.0
- 2.2.0
- 2.1.0
- 2.0.0 (EOL)
Recommendations:
We have marked this Werk incompatible because we recommend taking manual action:
Consider rotating affected credentials. If that is not feasible, consider sanitizing the log files. Also take into account that log files containing credentials might have been written to backups.
The affected log files can be found in ~/var/check_mk/wato/log
.
Note that, before Checkmk 2.3.0p18, entries in the files were not separated by newlines but by null bytes.
So they would appear as one long line.
Entries that might contain credentials are all entries where the 'action'
is 'edit-folder'
or 'edit-host'
, and the 'diff_text'
contains any of the following strings:
Attribute "snmp_community"
Value of "snmp_community"
Attribute "management_snmp_community"
Value of "management_snmp_community"
Attribute "management_ipmi_credentials"
Value of "management_ipmi_credentials"
Vulnerability Management:
We have rated the issue with a CVSS Score of 5.1 Medium (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
) and assigned CVE-2024-38862
.