Multiple vulnerabilities have been disclosed in Checkmk IT
Infrastructure monitoring software that could be chained together
by an unauthenticated, remote attacker to fully take over affected
servers.
“These vulnerabilities can be chained together by an
unauthenticated, remote attacker to gain code execution on the
server running Checkmk version 2.1.0p10 and lower,” SonarSource
researcher Stefan Schiller said[1]
in a technical analysis.
Checkmk’s open source edition of the monitoring tool is based on
Nagios Core[2]
and offers integrations with NagVis[3]
for the visualization and generation of topological maps of
infrastructures, servers, ports, and processes.
According to its Munich-based developer tribe29 GmbH, its
Enterprise and Raw editions are used by over 2,000
customers[4], including Airbus,
Adobe, NASA, Siemens, Vodafone, and others.
The four vulnerabilities, which consist of two Critical and two
Medium severity bugs, are as follows –
While these shortcomings on their own have a limited impact, an
adversary can chain the issues, starting with the SSRF flaw[5]
to access an endpoint only reachable from localhost, using it to
bypass authentication and read a configuration file, ultimately
gaining access to the Checkmk GUI.
“This access can further be turned into remote code execution by
exploiting a Code Injection vulnerability in a Checkmk GUI
subcomponent called watolib, which generates a file named auth.php
required for the NagVis integration,” Schiller explained.
Following responsible disclosure on August 22, 2022, the four
vulnerabilities have been patched in Checkmk version 2.1.0p12
released on September 15, 2022.
The findings follow the discovery of multiple flaws in other
monitoring solutions like Zabbix[6]
and Icinga[7]
since the start of the year, which could have been exploited to
compromise the servers by running arbitrary code.
References
Read more https://thehackernews.com/2022/11/multiple-vulnerabilities-reported-in.html