Bug 1101669 (CVE-2014-0243)

Summary: CVE-2014-0243 check-mk: arbitrary file disclosure flaw as root
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: andrea.veri, jrusnack
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: check-mk 1.2.5i3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 18:56:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1101670, 1101671    
Bug Blocks:    

Description Vincent Danen 2014-05-27 17:56:48 UTC 
LSE Leading Security Experts GmbH discovered that the Check_MK agent (Nagios plugin) processed files from the /var/lib/check_mk_agent/job directory which had 1777 permissions. The mk-job program did not check whether any files in this directory where symbolic or hard links.  Due to the permissions of this directory, any user could add a symbolic or hard link to any file on the filesystem, and because the Check_MK agent ran as the root user, it could expose arbitrary files via the agent, which exposes all the contents of this directory on TCP port 6556 by default.

This can be worked-around by setting mode 0755 on /var/lib/check_mk_agent/job (removing the sticky bit).

This is described in the upstream bug report [1] and fixed in git [2].

[1] http://mathias-kettner.com/check_mk_werks.php?werk_id=978
[2] http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=a2ef8d00c53ec9cbd05c4ae2f09b50761130e7ce


Acknowledgements:

Red Hat would like to thank LSE Leading Security Experts GmbH for reporting this issue.
Comment 1 Vincent Danen 2014-05-27 17:58:07 UTC 
Created check-mk tracking bugs for this issue:

Affects: fedora-all [bug 1101670]
Affects: epel-all [bug 1101671]
Comment 2 Andrea Veri 2014-05-27 19:10:29 UTC 
I'll prepare a fix today. Thanks for reporting.
Comment 3 Fedora Update System 2014-06-10 03:08:49 UTC 
check-mk-1.2.4p2-2.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2014-06-10 03:09:42 UTC 
check-mk-1.2.4p2-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2014-06-14 20:00:54 UTC 
check-mk-1.2.4p2-2.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2014-06-14 20:01:08 UTC 
check-mk-1.2.4p2-2.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.