Recent research has uncovered multiple critical vulnerabilities within Checkmk, an IT infrastructure monitoring software, which may allow an unauthenticated remote attacker to seize full control of affected systems. These vulnerabilities could potentially be mishandled collectively, posing significant risks to users, especially those utilizing Checkmk version 2.1.0p10 or older.
Stefan Schiller, a researcher at SonarSource, highlighted in an analysis that the first vulnerability can be exploited to achieve remote code execution. The software, which draws from both its open-source edition and Nagios Core, integrates seamlessly with tools like NagVis for infrastructure visualization, adding to its complexity and potential exposure to risk.
Developed by tribe29 GmbH, based in Munich, Checkmk is widely implemented, reportedly serving over 2,000 enterprises, including major corporations like Airbus, Adobe, NASA, and Siemens. In light of its extensive use, these vulnerabilities present not just technical concerns but possible business continuity threats as well.
The vulnerabilities identified include two categorized as critical and two deemed medium severity. The critical issues consist of a code injection vulnerability in the authentication component of watolib, as well as an arbitrary file read flaw within NagVis. The medium severity vulnerabilities involve a command injection flaw in Checkmk’s Livestatus wrapper and a server-side request forgery (SSRF) vulnerability affecting the host registration API.
While these vulnerabilities might seem isolated, they can be orchestrated to allow an attacker initial access through the SSRF flaw, enabling them to reach restricted endpoints on the local host. This can lead to further exploits that could ultimately provide unauthorized access to the Checkmk graphical user interface.
Schiller elaborates that this initial access can be escalated to remote code execution via the code injection flaw in watolib, which is crucial for managing authentication files required for the NagVis integration. The result is an enhanced capability for adversaries to manipulate or extract sensitive data.
After responsible disclosure on August 22, 2022, these vulnerabilities were addressed in Checkmk version 2.1.0p12, which was released shortly thereafter on September 15, 2022. This prompt patching is crucial for mitigating potential risks to the extensive customer base relying on Checkmk’s solutions.
This incident is part of a larger trend; other monitoring systems, including Zabbix and Icinga, have also encountered serious vulnerabilities that could allow unauthorized code execution. The implications for organizations using such tools are significant, potentially endangering operations and sensitive information management.