Werk #5208: Fix possibe information disclosure to unauthenticated users

TitelFix possibe information disclosure to unauthenticated users
Datum2017-09-25 08:52:25
Check_MK EditionCheck_MK Raw Edition (CRE)
Check_MK Version1.2.8p26
LevelProminent Change
KlasseSecurity Fix
KompatibilitätKompatibel - benötigt kein manuelles Eingreifen

In Check_MK versions it was possible to get information about the internal user database as unauthenticated user.

The latest oldstable version 1.2.8p25 of Check_MK is vulnerable to an unauthenticated information disclosure through a race condition during the authentication process when trying to authenticate with a valid username and an invalid password.

Check_MK 1.4 or newer is not affected by this issue.

The issue is caused by a logic that saves the number of failed logins for each user. During saving it could happen that parallel calls try to rename a non-exisiting file, which has just been renamed by a previous concurrent process. This causes the Check_MK GUI to fail and generate a crash report disclosing a variety of information, such as internal server paths and detailed user information.

The race condition causing this issue has been fixed with this werk.

This issue is currently identified with the ID: RCESEC-2017-001