Werk #984: Fix code injection for logged in users via automation url

Component Setup
Title Fix code injection for logged in users via automation url
Date May 27, 2014
Checkmk Edition Checkmk Raw (CRE)
Checkmk Version 1.2.5i4
Level Prominent Change
Class Security Fix
Compatibility Incompatible - Manual interaction might be required

This fixes CVSS 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C. The description:

The check_mk applications uses insecure API calls, which allow an attacker to execute arbitrary code on the server by issuing just a single URL. The reason for this is the usage of the insecure "pickle" API call. Apparently this was modified as a security means from a former version, which used "eval"-like structures with untrusted input data. Anyhow, as the python API documentation clearly state, "pickle" should be considered unsafe as well, see: https://docs.python.org/2/library/pickle.html.

The fix replaces pickle with a module called ast. Unfortunately this module is not available on Centos/RedHat 5.X and Debian 5. On these systems WATO still uses pickle, even with this fix.

Note: This change makes the current Check_MK versions incompatible to older versions. In a mixed environment with old and new Check_MK versions or with old and newer Python versions you have to force WATO to use the old unsafe method by setting wato_legacy_eval = True in multisite.mk. This can also be done with the new global WATO setting Use unsafe legacy encoding for distributed WATO.

To the list of all Werks