17028 SEC Fix Livestatus injection via REST-API

Prior to this fix, a REST API endpoint improperly handled escaping of data received through POST requests. This vulnerability allowed users with the `update_and_acknowledge` permission for events to inject arbitrary Livestatus commands via the affected endpoint. **Affected Versions**: * 2.4.0 (beta) * 2.3.0 * 2.2.0 * 2.1.0 (EOL) **Vulnerability Management**: We have rated the issue with a CVSS score of 6.0 (Medium) with the following CVSS vector: `CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N`, and assigned `CVE-2024-38865`. Change-Id: I0a275351994e9e2b6de201a8311456cd07d39338
Checkmk · Jan 20, 2025 · df8825b · df8825b
1 parent 881bdba
commit df8825b
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 2 deletions.
diff --git a/.werks/17028.md b/.werks/17028.md
@@ -0,0 +1,25 @@
+[//]: # (werk v2)
+# Fix Livestatus injection via REST-API
+
+key        | value
+---------- | ---
+date       | 2025-01-13T13:23:46+00:00
+version    | 2.5.0b1
+class      | security
+edition    | cre
+component  | rest-api
+level      | 1
+compatible | yes
+
+Prior to this fix, a REST API endpoint improperly handled escaping of data received through POST requests. This vulnerability allowed users with the `update_and_acknowledge` permission for events to inject arbitrary Livestatus commands via the affected endpoint.
+
+**Affected Versions**:
+
+* 2.4.0 (beta)
+* 2.3.0
+* 2.2.0
+* 2.1.0 (EOL)
+
+**Vulnerability Management**:
+
+We have rated the issue with a CVSS score of 6.0 (Medium) with the following CVSS vector: `CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N`, and assigned `CVE-2024-38865`.
diff --git a/cmk/gui/livestatus_utils/commands/event_console.py b/cmk/gui/livestatus_utils/commands/event_console.py
@@ -9,7 +9,7 @@
 from time import time
 from typing import get_args, Literal
 
-from livestatus import MultiSiteConnection, OnlySites, SiteId
+from livestatus import lqencode, MultiSiteConnection, OnlySites, SiteId
 
 from cmk.utils.livestatus_helpers.expressions import Or, QueryExpression
 from cmk.utils.livestatus_helpers.queries import Query
@@ -200,7 +200,7 @@ def update_and_acknowledge(
     sites_with_ids = map_sites_to_ids_from_query(connection, query, site_id)
     for site, event_ids in sites_with_ids.items():
         event_ids_joined = ",".join(event_ids)
-        cmd = f"EC_UPDATE;{event_ids_joined};{user.ident};{ack};{change_comment};{change_contact}"
+        cmd = f"EC_UPDATE;{event_ids_joined};{user.ident};{ack};{lqencode(change_comment)};{lqencode(change_contact)}"
         send_command(connection, cmd, site)
     return sites_with_ids