Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-33912: Fix ownership of debian maintainer scripts for shipped agent package

A permission issue affects users that deployed the shipped version of the Checkmk Debian package. Packages created by the agent bakery (enterprise editions only) were not affected. Using the shipped version of the agents, the maintainer scripts located at /var/lib/dpkg/info/ will be owned by the user and the group with ID 1001. If such a user exists on the system, they can change the content of these files (which are then executed by root). This leads to a local privilege escalation on the monitored host. Version 1.6 through 1.6.9p29, version 2.0 through 2.0.0p26, version 2.1 through 2.1.0p3, and version 2.2.0i1 are affected.

CVE
#debian

Component

Agent bakery

Title

Fix ownership of debian maintainer scripts for shipped agent package

Date

Jun 13, 2022

Checkmk Editon

Checkmk Raw (CRE)

Checkmk Version

2.1.0p3 2.0.0p26 1.6.0p29 2.2.0i1

Level

Trivial Change

Class

Security Fix

Compatibility

Compatible - no manual interaction needed

This issue affects users that deployed the shipped version of the Checkmk agent Debian package. Packages created by the agent bakery (enterprise editions only) were not affected.

Previous to this Werk a user with the UID 1001 on a monitored host could gain root privileges.

This was caused by wrong file ownership of the maintainer scripts located at /var/lib/dpkg/info: they were owned by the user and group with the ID 1001 instead of root. If such a user exists on your system, they can change the content of these files which are later executed by root (during package installation, update or removal), leading to a local privilege escalation on the monitored host.

To see if you are affected check the ownership of the files /var/lib/dpkg/info/check-mk-agent.* – they should be owned by root and only writable by root.

If those files are not owned by root, you should perform the following steps before updating the agent:

  • Ensure they have not been tampered with.
  • Either immediately upgrade the agent or change the ownership of the files to root.root and the permissions to 755

To make sure the files have not been tampered with, you can check out the expected content in the "%pre", “%post” and “%preun” sections of this file (make sure to select the right Checkmk version in the dropdown choice that reads “master”).

To get an idea of what the files should look like in the 2.1.0 version, you can also look at the checked in versions of the master branch here. Note that smaller deviations are no cause for concern.

To the list of all Werks

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907