Hi Community.
I am using cmk ver 2.1.0p18.cre on ubuntu 20.04 LTS. On port 8000 it seems to have a Vulnerability.
I checked the systemfiles /etc/apache2/mods-*/ssl.conf of the ubuntu system reguarding the Option SSLInsecureRenegotiation to turn it off. But i think that the base of problem is the python3 Prozess (lsof -i TCP:8000 command). I saw (Ports - Ports used by Checkmk) that cmk uses the Port 8000 for Agent-Communication.
So my question: It’s possible so change the options “SSLInsecureRenegotiation” of the python Process that is running on Port 8000 and change the choice of authorized TLS-Version?
Hi @eins.elf and thank you for your feedback!
I am no security professional, but rest assured, that our security guys are already looking into this.
I am here for a mere clarification: The Agent Receiver on port 8000 currently only serves for TLS registration. The actual monitoring data is still fetched from port 6556 on the monitored system.
You can use the proxy-register command of the agent controller, if you want to restrict access to port 8000 on your monitoring servers.
First I’d like to lay out that there is no security risk. The only users of this port/service are the agent-controllers. These come with their own TLS stack which only supports TLS1.2 and TLS1.3. So downgrade attacks are not possible.
In Checkmk 2.2 this will not be an issue anymore since we will use a more recent Python version with no support for those old TLS protocols.
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.
