Checkmk Privilege Escalation Vulnerability in mk_mysql Agent Plugin on Windows

A privilege escalation vulnerability has been identified in the mk_mysql agent plugin for Checkmk versions prior to 2.4.0p29, prior to 2.3.0p47, and 2.2.0 (EOL). This vulnerability allows a local unprivileged user to execute arbitrary code in the context of the Checkmk agent service, which typically runs as SYSTEM. The issue arises from the plugin's method of discovering MySQL and MariaDB instances by querying Windows services. An unprivileged user who can create a service named 'MySQL' or 'MariaDB', or who has write access to a binary referenced by such a service, could exploit this vulnerability.

Impact

Exploitation of this vulnerability could lead to unauthorized privilege escalation, allowing a local user to execute arbitrary code with elevated rights in the context of the Checkmk agent service.

Remediation

Users are advised to update to Checkmk versions 2.4.0p29 or 2.3.0p47. If an update is not possible, the mk_mysql plugin can be disabled on affected Windows hosts. Additionally, it is recommended to restrict the ability to create or modify Windows services to administrators only, and to limit write access to directories containing MySQL or MariaDB binaries to privileged users.