Werk #17098: Fix access permissions in Windows Agents
| Component | Checks & agents | ||||
| Title | Fix access permissions in Windows Agents | ||||
| Date | Nov 29, 2024 | ||||
| Level | Trivial Change | ||||
| Class | Security Fix | ||||
| Compatibility | Compatible - no manual interaction needed | ||||
| Checkmk versions & editions |
|
Incorrectly assigned permissions allowed local, unprivileged Windows users to read sensitive data of the Checkmk Windows agent.
Before this Werk, non-admin users could read files in the ProgramData\checkmk\agent directory.
This directory contains sensitive information, such as the agent's private key used to authenticate its TLS connections to the Checkmk site.
The issue is a regression from an incomplete fix in Werk #16845. It was found during internal review.
Affected Versions:
- 2.3.0
- 2.2.0 >= 2.2.0p22
- 2.1.0 (EOL)
Mitigations:
If updating is not possible, you can manually remove all permissions for the group Users on the directory ProgramData\checkmk\agent and all its contents.
Vulnerability Management:
We have rated the issue with a CVSS Score of 4.8 Medium (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N) and assigned CVE-2024-38864.