LSE Leading Security Experts GmbH discovered that the Check_MK agent (Nagios plugin) processed files from the /var/lib/check_mk_agent/job directory which had 1777 permissions. The mk-job program did not check whether any files in this directory where symbolic or hard links. Due to the permissions of this directory, any user could add a symbolic or hard link to any file on the filesystem, and because the Check_MK agent ran as the root user, it could expose arbitrary files via the agent, which exposes all the contents of this directory on TCP port 6556 by default. This can be worked-around by setting mode 0755 on /var/lib/check_mk_agent/job (removing the sticky bit). This is described in the upstream bug report [1] and fixed in git [2]. [1] http://mathias-kettner.com/check_mk_werks.php?werk_id=978 [2] http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=a2ef8d00c53ec9cbd05c4ae2f09b50761130e7ce Acknowledgements: Red Hat would like to thank LSE Leading Security Experts GmbH for reporting this issue.
Created check-mk tracking bugs for this issue: Affects: fedora-all [bug 1101670] Affects: epel-all [bug 1101671]
I'll prepare a fix today. Thanks for reporting.
check-mk-1.2.4p2-2.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
check-mk-1.2.4p2-2.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
check-mk-1.2.4p2-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
check-mk-1.2.4p2-2.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.