Werk #0984: Fix code injection for logged in users via automation url

ComponentWATO
TitleFix code injection for logged in users via automation url
Date2014-05-27 15:01:17
Check_MK EditionCheck_MK Raw Edition (CRE)
Check_MK Version1.2.5i4
LevelProminent Change
ClassSecurity Fix
CompatibilityIncompatible - Manual interaction might be required

This fixes CVSS 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C. The description:

The check_mk applications uses insecure API calls, which allow an attacker to execute arbitrary code on the server by issuing just a single URL. The reason for this is the usage of the insecure "pickle" API call. Apparently this was modified as a security means from a former version, which used "eval"-like structures with untrusted input data. Anyhow, as the python API documentation clearly state, "pickle" should be considered unsafe as well, see: https://docs.python.org/2/library/pickle.html.

The fix replaces pickle with a module called ast. Unfortunately this module is not available on Centos/RedHat 5.X and Debian 5. On these systems WATO still uses pickle, even with this fix.

Note: This change makes the current Check_MK versions incompatible to older versions. In a mixed environment with old and new Check_MK versions or with old and newer Python versions you have to force WATO to use the old unsafe method by setting wato_legacy_eval = True in multisite.mk. This can also be done with the new global WATO setting Use unsafe legacy encoding for distributed WATO.