Headline
CVE-2022-48317: Fix session cookie validation on RestAPI
Expired sessions were not securely terminated in the RestAPI for Tribe29’s Checkmk <= 2.1.0p10 and Checkmk <= 2.0.0p28 allowing an attacker to use expired session tokens when communicating with the RestAPI.
Component
REST API
Title
Fix session cookie validation on RestAPI
Date
Sep 2, 2022
Checkmk Edition
Checkmk Raw (CRE)
Checkmk Version
2.2.0b1 2.1.0p11 2.0.0p29
Level
Trivial Change
Class
Security Fix
Compatibility
Compatible - no manual interaction needed
Before this Werk expired sessions were still valid on the RestAPI, since the RestAPI only vaildated the Cookie signature.
An attacker who was able to steal a session cookie could use that cookie on the RestAPI even after the session expired. Some actions though require access to the user session, these action fail due to the expired session. Some actions do not access the session and are therefore possible.
Affected Versions: All versions with the RestAPI are affected: 2.0, and 2.1.
Mitigations: Immediate mitigations are not available.
Indicators of Compromise: Review Apache and web.log for suspicious logs.
Vulnerability Management: We have rated the issue with a CVSS Score of 5.6 (Medium) with the following CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L. A CVE has been requested.
To the list of all Werks