CVE-2021-40904
📋 TL;DR
CVE-2021-40904 allows remote code execution through the CheckMK web management console by exploiting a misconfiguration in the default Dokuwiki installation. Attackers with administrative access (valid credentials or hijacked session) can execute arbitrary PHP code on affected systems. This affects CheckMK Raw Edition versions 1.5.0 through 1.6.0.
💻 Affected Systems
- CheckMK Raw Edition
📦 What is this software?
Checkmk by Checkmk
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attacker to execute arbitrary commands, steal sensitive data, pivot to other systems, and maintain persistent access.
Likely Case
Unauthorized access to sensitive monitoring data, modification of monitoring configurations, and potential lateral movement within the network.
If Mitigated
Limited to authenticated administrative users only, reducing attack surface but still allowing privilege escalation if admin credentials are compromised.
🎯 Exploit Status
Exploitation requires administrative access to the web interface. Public proof-of-concept code is available on GitHub.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.6.0p21 and later
Vendor Advisory: https://checkmk.com/
Restart Required: Yes
Instructions:
1. Update CheckMK to version 1.6.0p21 or later. 2. Apply the update via the CheckMK update mechanism. 3. Restart the CheckMK services. 4. Verify the Dokuwiki configuration no longer allows PHP execution.
🔧 Temporary Workarounds
Disable Dokuwiki PHP execution
linuxModify Dokuwiki configuration to prevent PHP code execution
Edit /omd/sites/[SITE]/etc/dokuwiki/local.php and ensure $conf['phpok'] = false;
Restrict web console access
linuxLimit access to the web management interface to trusted IPs only
Configure firewall rules or web server access controls to restrict /check_mk/ path
🧯 If You Can't Patch
- Implement strict access controls to the web management interface (IP whitelisting, VPN-only access)
- Enforce strong authentication policies and monitor for suspicious admin account activity
🔍 How to Verify
Check if Vulnerable:
Check CheckMK version: omd version. If between 1.5.0 and 1.6.0p20, check Dokuwiki config for $conf['phpok'] setting.Check Version:
omd versionVerify Fix Applied:
Verify version is 1.6.0p21 or later and confirm $conf['phpok'] = false in Dokuwiki configuration.📡 Detection & Monitoring
Log Indicators:
- Unusual PHP file uploads or modifications in Dokuwiki directories
- Suspicious admin login patterns or session hijacking attempts
- Unexpected system commands executed from web interface
Network Indicators:
- Unusual outbound connections from CheckMK server
- HTTP requests to Dokuwiki with PHP payloads
SIEM Query:
source="checkmk" AND (event="file_upload" OR event="config_change") AND user="admin"