Werk #9482: SEC: Fix web configuration authentication bypass

An unauthenticated attacker would be able to retrieve the device secret from the web configuration interface of the appliance and could bypass the authentication.

In order to fix the vulnerability in your environment, we highly recommend to update your Checkmk appliance installations to 1.4.17 or newer.

The vulnerability was identified during an internal security audit. Once we became aware of the issue, we took immediate action to investigate the matter and published the release 1.4.17 to fix the issue.

CVE-2021-43502 was assigned to this vulnerability.

Affected versions

All versions previous to 1.4.17.

Fixed versions

1.4.17 or newer.

How to detect whether or not my system was compromised?

To check whether or not you are affected, you can review the access logs of the appliance web server for entries that happened without your knowledge or at times were you were not working with the system.

The log files can be found at '/var/log/apache/access/access.log' for appliances that are accessed via HTTP (without SSL) or '/var/log/apache/access/ssl_access.log' for appliances that are accessed via HTTPS (with SSL enabled).

The access is also logged to the sylog file of the device (/var/log/syslog) and forwarded to the log server, if you have enabled it in the device settings of your appliance. The relevant log entries in this file look like this: "Nov 5 10:25:35 monitoring webconfd: 127.0.0.1 ...".

Mitigations

You can disable the web configuration. This can be done using the local console (F1 > Web configuration > disable) or by connecting to the appliance via SSH and execute cma-setup.

Severity

This vulnerability has been rated as severity rating Critical (10.0), according to the scale published on the Common Vulnerability Scoring System (CVSS).

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

To the list of all Werks