Deutsche Telekom CERT Advisory [DTC-A-20140820-001] 
 
Summary:
Several vulnerabilities were found in check_mk prior versions 1.2.4p4 and 1.2.5i4.
The vulnerabilities are:
1 - Reflected Cross-Site Scripting (XSS)
2 - write access to config files (.mk files) 
3 - arbitrary code execution 
 
Recommendations:
Install software release 1.2.4p4, 1.2.5i4 or later. 

Homepage: http://mathias-kettner.de/check_mk.html
 
Details:
a) application
b) problem
c) CVSS
d) detailed description
 
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
a1) check_mk (git hash: 4b71709) [CVE-2014-5338]
 
b1) Reflected Cross-Site Scripting (XSS)
 
c1) CVSS 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C
 
d1) The check_mk application is susceptible to reflected XSS attacks. This is mainly the result of improper output encoding. Reflected XSS can be triggered by sending a malicious URL to a user of the check_mk application. Once the XSS attack is triggered, the attacker has access to the full check_mk (and nagios) application with the access rights of the logged in victim.
 
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 
a2) check_mk (git hash: 4b71709) [CVE-2014-5339]
 
b2) Write access to config (.mk) files in arbitrary places on the filesystem
 
c2) CVSS 4.9 AV:N/AC:M/Au:S/C:N/I:P/A:P
 
d2) The check_mk application does allow an attacker to write check_mk config files (.mk files) on arbitrary locations on the server filesystem
 
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 
a3) check_mk (git hash: 4b71709) [CVE-2014-5340]
 
b3) Code executing due to insecure input handling
 
c3) CVSS 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C
 
d3) The check_mk applications uses insecure API calls, which allow an attacker to execute arbitrary code on the server by issuing just a single URL. The reason for this is the usage of the insecure "pickle" API call. 
Additionally, there are several locations in the code which allow calling this method without any CSRF tokens in place. This flaw can also be triggered as a non-admin user (for instance as a normal monitoring user, who only has limited capabilities in the application).


Deutsche Telekom Cyber Defense & CERT 
Friedrich-Ebert-Allee 140, 53113 Bonn, Germany
+49 800 DTAG CERT (Tel.)
E-Mail: cert@telekom.de
Life is for sharing.
 
Deutsche Telekom AG
Supervisory Board: Prof. Dr. Ulrich Lehner (Chairman)
Board of Management: Timotheus Höttges (Chairman),
Dr. Thomas Kremer, Reinhard Clemens, Niek Jan van Damme,
Thomas Dannenfeldt, Claudia Nemat, Prof. Dr. Marion Schick
Commercial register: Amtsgericht Bonn HRB 6794
Registered office: Bonn
 
Big changes start small – conserve resources by not printing every e-mail.