Headline
CVE-2022-31258: Secure path for OMD hooks
In Checkmk before 1.6.0p29, 2.x before 2.0.0p25, and 2.1.x before 2.1.0b10, a site user can escalate to root by editing an OMD hook symlink.
Werk #13902: Secure path for OMD hooks
Component
Site management
Title
Secure path for OMD hooks
Date
May 9, 2022
Checkmk Editon
Checkmk Raw (CRE)
Checkmk Version
2.2.0i1 2.1.0b10 2.0.0p25 1.6.0p29
Level
Trivial Change
Class
Security Fix
Compatibility
Compatible - no manual interaction needed
OMD executes several hooks to determine configuration options (e.g. which port to use for the site apache). These hooks are version dependent, so OMD executed these hooks via a symlink in the site to get the hooks matching the version of the site.
The symlinks belong to the site user in order to be able to update the version. Since a OMD status executes those hooks as root, it was possible for a site user to create a malicious hook and execute code as root.
All maintained versions (>=1.6) are subject to this vulnerability. It is likely that also previous versions were vulnerable.
CVE will be added later here. CVSS: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 8.2
We thank Timo Klecker for reporting this issue!
To the list of all Werks