Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Supply Chain Security

Checkmk Vulnerabilities Can Be Chained for Remote Code Execution

Researchers at code security firm Sonar Source have shared details on multiple Checkmk vulnerabilities that could be chained together to execute code remotely, without authentication.

Researchers at code security firm Sonar Source have shared details on multiple Checkmk vulnerabilities that could be chained together to execute code remotely, without authentication.

Written in Python and C++, Checkmk is an IT Infrastructure monitoring solution that allows organizations to monitor servers, containers, cloud infrastructure, networks, databases, and other assets using a single web interface.

“According to the vendor’s website, more than 2,000 customers rely on Checkmk. Due to its purpose, Checkmk is a central component usually deployed at a privileged position in a company’s network. This makes it a high-profile target for threat actors,” Sonar Source notes.

The company has identified four vulnerabilities in Checkmk and its NagVis integration, including two with a ‘critical’ severity rating (CVSS score of 9.1).

These security defects, Sonar Source warns, “can be chained together by an unauthenticated, remote attacker to fully take over the server running a vulnerable version of Checkmk.”

The first of the issues is described as a code injection vulnerability in the watolib component, which existed because user data entered in Wato was improperly sanitized when writing to the PHP file.

“Prior to this Werk it was possible for authenticated users to inject PHP code in files generated by Wato for NagVis integration. The code would be executed once a request to the respective NagVis component is made,” Checkmk explains.

The second critical-severity flaw is described as an arbitrary file read impacting NagVis, the component responsible for creating network maps.

Advertisement. Scroll to continue reading.

“An authenticated attacker can read arbitrary files with the permissions of the web server user,” Checkmk notes in its advisory.

The two other vulnerabilities, both rated ‘medium severity’, are a line feed injection and a limited server-side request forgery (SSRF) issue.

“Some of the identified vulnerabilities have limited practical impact on their own. However, a malicious attacker can chain them together to achieve remote code execution,” Sonar Source underlines.

The code analysis firm explains that the exploitation chain would start with the unauthenticated attacker exploiting the SSRF to access an endpoint reachable from the localhost only and which is vulnerable to the line feed injection.

By forging arbitrary LQL queries – which Checkmk uses to fetch data from the monitoring core – the attacker can then delete arbitrary files, which could allow them to bypass existing authentication mechanisms and access NagVis.

With access to NagVis, the attacker could exploit the arbitrary file read to access a special Checkmk configuration file and gain access to the Checkmk GUI, and then exploit the code injection in watolib to achieve remote code execution (RCE).

Sonar Source reported the vulnerabilities to Checkmk on August 22, which patched them within a week.

Related: Critical Packagist Vulnerability Opened Door for PHP Supply Chain Attack

Related: VMware Patches Critical Vulnerability in End-of-Life Product

Related: Anxiously Awaited OpenSSL Vulnerability’s Severity Downgraded From Critical to High

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Stephanie Crowe has been appointed head of the Australian Cyber Security Centre (ACSC).

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.