Werk #17095: Sanitize Host and Folder Credentials in Audit Log

Component Setup
Title Sanitize Host and Folder Credentials in Audit Log
Date Oct 7, 2024
Level Trivial Change
Class Security Fix
Compatibility Incompatible - Manual interaction might be required
Checkmk versions & editions
2.4.0b1 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0p18 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0p35 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.1.0p48 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)

Before this Werk, adding, changing, or removing SNMP and IMPI credentials in a host or folder's properties would log those credentials in the WATO audit log. Now, credentials are masked before being written to the log.

The affected logs, both via the rendering functionality in WATO as well as the files on the file system, are only accessible to authenticated users.

This issue was found during internal review.

Affected Versions:

  • 2.3.0
  • 2.2.0
  • 2.1.0
  • 2.0.0 (EOL)

Recommendations:

We have marked this Werk incompatible because we recommend taking manual action:

Consider rotating affected credentials. If that is not feasible, consider sanitizing the log files. Also take into account that log files containing credentials might have been written to backups.

The affected log files can be found in ~/var/check_mk/wato/log.

Note that, before Checkmk 2.3.0p18, entries in the files were not separated by newlines but by null bytes. So they would appear as one long line. Entries that might contain credentials are all entries where the 'action' is 'edit-folder' or 'edit-host', and the 'diff_text' contains any of the following strings:

  • Attribute "snmp_community"
  • Value of "snmp_community"
  • Attribute "management_snmp_community"
  • Value of "management_snmp_community"
  • Attribute "management_ipmi_credentials"
  • Value of "management_ipmi_credentials"

Vulnerability Management:

We have rated the issue with a CVSS Score of 5.1 Medium (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N) and assigned CVE-2024-38862.

To the list of all Werks