Werk #17232: Synthetic Monitoring: Fix XSS vector in HTML logs displayed in UI

Component User interface
Title Synthetic Monitoring: Fix XSS vector in HTML logs displayed in UI
Date Aug 26, 2024
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.4.0b1
Not yet released
Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0p14 Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)

The user interface offers the option to display the HTML logs of monitored synthetic tests. These logs are generated on the host where the test is executed and are therefore prone to XSS attacks. A malicious actor with access to the host could attempt to inject malicious JavaScript code into these logs before they are transferred to the monitoring server.

As of this werk, the logs are rendered sandboxed, which prevents code injected into the logs from accessing the surrounding Checkmk site. However, note that an attacker could still attempt to hijack the log to eg. display a fake login page. Therefore, we additionally display a corresponding security note when rendering the logs.

An unfortunate side effect of the sandboxing described above is that the "Expand/Collapse all" buttons in the logs are deactivated. Users can still download the logs and inspect them outside the Checkmk user interface, as before.

This issue was found during internal review.

Affected Versions:

  • 2.3.0

Mitigations:

Avoid displaying the HTML logs in the user interface.

Vulnerability Management:

We have rated the issue with a CVSS Score of 2.3 Low (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N) and assigned CVE-2024-38858.

To the list of all Werks