Researchers at code security firm Sonar Source have shared details on multiple Checkmk vulnerabilities that could be chained together to execute code remotely, without authentication.
Written in Python and C++, Checkmk is an IT Infrastructure monitoring solution that allows organizations to monitor servers, containers, cloud infrastructure, networks, databases, and other assets using a single web interface.
“According to the vendor’s website, more than 2,000 customers rely on Checkmk. Due to its purpose, Checkmk is a central component usually deployed at a privileged position in a company’s network. This makes it a high-profile target for threat actors,” Sonar Source notes.
The company has identified four vulnerabilities in Checkmk and its NagVis integration, including two with a ‘critical’ severity rating (CVSS score of 9.1).
These security defects, Sonar Source warns, “can be chained together by an unauthenticated, remote attacker to fully take over the server running a vulnerable version of Checkmk.”
The first of the issues is described as a code injection vulnerability in the watolib component, which existed because user data entered in Wato was improperly sanitized when writing to the PHP file.
“Prior to this Werk it was possible for authenticated users to inject PHP code in files generated by Wato for NagVis integration. The code would be executed once a request to the respective NagVis component is made,” Checkmk explains.
The second critical-severity flaw is described as an arbitrary file read impacting NagVis, the component responsible for creating network maps.
“An authenticated attacker can read arbitrary files with the permissions of the web server user,” Checkmk notes in its advisory.
The two other vulnerabilities, both rated ‘medium severity’, are a line feed injection and a limited server-side request forgery (SSRF) issue.
“Some of the identified vulnerabilities have limited practical impact on their own. However, a malicious attacker can chain them together to achieve remote code execution,” Sonar Source underlines.
The code analysis firm explains that the exploitation chain would start with the unauthenticated attacker exploiting the SSRF to access an endpoint reachable from the localhost only and which is vulnerable to the line feed injection.
By forging arbitrary LQL queries – which Checkmk uses to fetch data from the monitoring core – the attacker can then delete arbitrary files, which could allow them to bypass existing authentication mechanisms and access NagVis.
With access to NagVis, the attacker could exploit the arbitrary file read to access a special Checkmk configuration file and gain access to the Checkmk GUI, and then exploit the code injection in watolib to achieve remote code execution (RCE).
Sonar Source reported the vulnerabilities to Checkmk on August 22, which patched them within a week.