Checkmk NagVis Remote Code Execution Vulnerability

A remote code execution vulnerability exists in the NagVis component of Checkmk, specifically in Checkmk version 2.3.0p2 and NagVis version 1.9.40, both running on GNU/Linux. The vulnerability allows an authenticated attacker with administrative privileges to upload a malicious PHP file disguised as a configuration file. Once uploaded, the attacker can modify settings to execute the PHP code contained in the file.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where Checkmk is running.

Reproduction

To reproduce this vulnerability, authenticate as an administrative user in Checkmk. Navigate to the NagVis AJAX handler and upload a file named 'exploit.cfg' through the 'Map' module's 'manage' action. This file should contain PHP code that, once uploaded, can be executed by manipulating the 'global_authorisation_multisite_file' setting to point to the uploaded file. After the configuration is updated, the PHP code can be executed via a crafted request that includes the 'cmd' parameter.

Remediation

Users can upgrade to Checkmk 2.3.0p10 and NagVis 1.9.42, both released on July 15, 2024, to address this vulnerability.