A new version of check_smart, a monitoring plugin to monitor hard drives, solid state drives and NVMe drives, is available.
The newest release, 6.18.1, is a security release and fixes a command injection vulnerability in the handling of the interface parameter.
Besides fixing this potential vulnerability, the plugin now bails out if it is launched against a symlink instead of a real device.
$ ln -s /dev/sda /tmp/sda
$ sudo ./check_smart.pl -i ata -d /tmp/sda --debug
(debug) Found /tmp/sda
(debug) /tmp/sda is a symlink, skipping for security reasons
Could not find any valid block/character special device for device /tmp/sda !
Malicious local users could have injected shell commands into the interface parameter or by crafting a special symlink containing shell commands.
This vulnerability was reported by Dirk Müller from SUSE. Thanks for the quick and great collaboration!
No comments yet.
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera Git GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Influx Internet Java KVM Kibana Kodi Kubernetes LVM LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Observability Office OpenSearch PHP Perl Personal PostgreSQL PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Znuny Zoneminder