Checkmk Windows Agent Privilege Escalation Vulnerability in Windows License Plugin

A privilege escalation vulnerability has been identified in the Checkmk Windows Agent, specifically within the Windows License plugin. This issue arises from the use of an insecure temporary directory, allowing unauthorized users to manipulate the 'win_license.bat' script. The vulnerability affects Checkmk versions 2.4.0 prior to 2.4.0p13, 2.3.0 prior to 2.3.0p38, 2.2.0 prior to 2.2.0p46, and all versions of 2.1.0 (EOL).

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation on the affected system.

Reproduction

On Windows hosts, the 'win_license.bat' plugin is used to retrieve license information. However, the plugin's copying logic disrupts the default operation of the 'slmgr.vbs' script, which is responsible for managing Windows licenses. This interference creates a vulnerability, as the 'slmgr.vbs' script is redirected to a global, unprotected location, where it can be edited by any user. Once modified, the script can be exploited for malicious purposes.

Remediation

Users can update to Checkmk versions 2.4.0p13, 2.3.0p38, or 2.2.0p46. If an update is not possible, the Windows License plugin can be disabled.