Werk #984: Fix code injection for logged in users via automation url
| Component | Setup | ||||||||||||||||||
| Title | Fix code injection for logged in users via automation url | ||||||||||||||||||
| Date | May 27, 2014 | ||||||||||||||||||
| Level | Prominent Change | ||||||||||||||||||
| Class | Security Fix | ||||||||||||||||||
| Compatibility | Incompatible - Manual interaction might be required | ||||||||||||||||||
| Checkmk versions & editions |
|
This fixes CVSS 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C. The description:
The check_mk applications uses insecure API calls, which allow an attacker to execute arbitrary code on the server by issuing just a single URL. The reason for this is the usage of the insecure "pickle" API call. Apparently this was modified as a security means from a former version, which used "eval"-like structures with untrusted input data. Anyhow, as the python API documentation clearly state, "pickle" should be considered unsafe as well, see: https://docs.python.org/2/library/pickle.html.
The fix replaces pickle with a module called ast. Unfortunately this module is not available on Centos/RedHat 5.X and Debian 5. On these systems WATO still uses pickle, even with this fix.
Note: This change makes the current Check_MK versions incompatible to older versions. In a mixed environment with old and new Check_MK versions or with old and newer Python versions you have to force WATO to use the old unsafe method by setting wato_legacy_eval = True in multisite.mk. This can also be done with the new global WATO setting Use unsafe legacy encoding for distributed WATO.