Checkmk Inotify Plugin Insecure File Permissions Vulnerability

A vulnerability exists in the Checkmk inotify agent plugin, affecting Checkmk versions prior to 2.4.0p16, 2.3.0p41, and all versions of 2.2.0 and older. The vulnerability arises because the mk_inotify plugin creates files with overly permissive world-readable and writable permissions. This flaw allows any local user to read and modify the plugin's output, potentially leading to unauthorized access to or alteration of monitoring data.

Impact

Exploitation of this vulnerability could result in unauthorized access to or modification of monitoring data, due to the ability of local users to read and write to the inotify plugin's output files.

Reproduction

To reproduce this vulnerability, deploy the inotify agent plugin on a system running an affected version of Checkmk. After the plugin has been executed, check the permissions of the output files in /var/lib/check_mk_agent/ . The files will be written with world-readable and writable permissions, indicated by the '-rw-rw-rw-' permission set. This permissive setting allows any local user to read and modify the plugin's output, creating a risk of unauthorized access to monitoring data.

Remediation

To address this vulnerability, update to Checkmk versions 2.4.0p16, 2.3.0p41, or 2.5.0b1. If an immediate update is not possible, the inotify agent can be manually modified by removing the line that overrides the umask value, which is located in the mk_inotify.py plugin file. After making this change, restart the inotify agent to apply the fix.