Application: CheckMK Management Web Console

Software Revision: From 1.5.0 to 1.5.0p25

Attack type: RCE

Solution: Upgrade to version 1.6 or higher.

Summary: The web management console of CheckMk Raw Edition (versions 1.5.0 to 1.5.0p25) allows a misconfiguration of the web-app Dokuwiki (installed by default) which allows embedded php code. As a result, remote code execution is achieved. Successful exploitation requires access to the web management interface, either with valid credentials or with a hijacked session by a user with the role of administrator.

Technical Description: See CVE-2021-40904

Timeline:

• 2021-09-01 Issues discovered.
• 2021-09-06 First contact with vendor via e-mail.
• 2021-09-08 Vendor response. RCE vulnerabilities were already detected, and higher versions already exist with the patch.
• 2022-03-25 Public disclosure.

Reference:

• https://checkmk.com/download/archive#checkmk-1.6.0
• https://checkmk.com/download/archive#checkmk-2.0.0
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40904
• https://nvd.nist.gov/vuln/detail/CVE-2021-40904

PoC checkmk version 1.5.0p25 Raw Edition