Werk #2252: mk_logwatch: Fixed mostly uncritical command injection from config

Component Checks & agents
Title mk_logwatch: Fixed mostly uncritical command injection from config
Date May 8, 2015
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
1.2.7i1
Not yet released
Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.2.7i1
Not yet released
Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.2.7i1
Not yet released
Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.2.7i1
Not yet released
Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.2.7i1
Not yet released
Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.2.7i1
Not yet released
Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.2.7i1
Not yet released
Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.2.7i1
Not yet released
Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
1.2.7i1 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)

This change fixes a security related issue n the mk_logwatch linux agent plugin. It was possible to inject commands to the agent plugin when having write access to the logwatch.cfg configuration file. This might result in privilege escalation issues in very rare conditions.

From our point of view this is a low impact issue for nearly all installations out there. Most installations run the agent as root but also have the logwatch.cfg only being writable by root. So if a user has write access to this file the user don't need to do privilege escalation anymore since he is already root.

If you have the situation where the agent is executed in another user context than the configuration file logwatch.cfg can be written, you should update to the fixed mk_logwatch plugin.

Thanks to Adam Lis for finding and reporting this issue!

Short Q/As:

What does the attacker need?

He needs to have write access to the /etc/check_mk/logwatch.cfg, which is normally only writable by root.

What does the attacker get?

He can execute commands in context of the Check_MK-Agent (often root).

Do I need to update asap?

Only if non-root users can edit the logwatch.cfg.

I want to update, where can I get the fixed version?

If we did not release an updated version yet, you can get it from the git:

http://git.mathias-kettner.de/git/?p=check_mk.git;a=blob_plain;f=agents/plugins/mk_logwatch;hb=refs/heads/1.2.6

To the list of all Werks