Werk #984: Fix code injection for logged in users via automation url
| Component | Setup |
| Title | Fix code injection for logged in users via automation url |
| Date | May 27, 2014 |
| Checkmk Edition | Checkmk Raw (CRE) |
| Checkmk Version | 1.2.5i4 |
| Level | Prominent Change |
| Class | Security Fix |
| Compatibility | Incompatible - Manual interaction might be required |
This fixes CVSS 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C. The description:
The check_mk applications uses insecure API calls, which allow an attacker to execute arbitrary code on the server by issuing just a single URL. The reason for this is the usage of the insecure "pickle" API call. Apparently this was modified as a security means from a former version, which used "eval"-like structures with untrusted input data. Anyhow, as the python API documentation clearly state, "pickle" should be considered unsafe as well, see: https://docs.python.org/2/library/pickle.html.
The fix replaces pickle with a module called ast. Unfortunately this module is not available on Centos/RedHat 5.X and Debian 5. On these systems WATO still uses pickle, even with this fix.
Note: This change makes the current Check_MK versions incompatible to older versions. In a mixed environment with old and new Check_MK versions or with old and newer Python versions you have to force WATO to use the old unsafe method by setting wato_legacy_eval = True in multisite.mk. This can also be done with the new global WATO setting Use unsafe legacy encoding for distributed WATO.
