CVE-2022-46303

Q: How do I fix CVE-2022-46303?

1. Backup your Checkmk configuration. 2. Update to patched version using your distribution's package manager or Checkmk's update mechanism. 3. Restart Checkmk services. 4. Verify the update was successful.

Q: What is the severity of CVE-2022-46303?

CVE-2022-46303 has a CVSS score of 8.0 (HIGH). This vulnerability allows authenticated users with User Management permissions (and LDAP administrators in some configurations) to inject arbitrary commands into SMS notification functionality in Checkmk. Successful exploitation enables attackers to execute commands with the application's local permissions, potentially leading to system compromise. Affected systems include Checkmk versions up to 2.1.0p10, 2.0.0p27, and 1.6.0p29.

8.0 HIGH

Remote Code Execution

📋 TL;DR

This vulnerability allows authenticated users with User Management permissions (and LDAP administrators in some configurations) to inject arbitrary commands into SMS notification functionality in Checkmk. Successful exploitation enables attackers to execute commands with the application's local permissions, potentially leading to system compromise. Affected systems include Checkmk versions up to 2.1.0p10, 2.0.0p27, and 1.6.0p29.

💻 Affected Systems

Products:

Tribe29 Checkmk

Versions: Checkmk <= 2.1.0p10, Checkmk <= 2.0.0p27, Checkmk <= 1.6.0p29

Operating Systems: Linux-based systems running Checkmk

Default Config Vulnerable: ⚠️ Yes

Notes: Requires User Management permissions or LDAP administrator access in certain configurations. SMS notification functionality must be enabled or accessible.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attacker to execute arbitrary commands as the Checkmk application user, potentially leading to data theft, lateral movement, or complete system takeover.

🟠

Likely Case

Privilege escalation leading to unauthorized access to sensitive monitoring data, configuration manipulation, or limited command execution within the application context.

🟢

If Mitigated

Limited impact if proper access controls restrict User Management permissions to trusted administrators only and network segmentation limits lateral movement.

🌐 Internet-Facing: MEDIUM - While exploitation requires authentication, internet-facing Checkmk instances with exposed administrative interfaces could be targeted by credential-based attacks.

🏢 Internal Only: HIGH - Internal attackers with legitimate User Management permissions or compromised accounts can exploit this vulnerability to gain elevated privileges.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access with User Management permissions. The vulnerability is in SMS notification parameter handling where user input is not properly sanitized before being passed to system commands.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Checkmk 2.1.0p11, 2.0.0p28, 1.6.0p30 and later

Vendor Advisory: https://checkmk.com/werk/14381

Restart Required: Yes

Instructions:

1. Backup your Checkmk configuration. 2. Update to patched version using your distribution's package manager or Checkmk's update mechanism. 3. Restart Checkmk services. 4. Verify the update was successful.

🔧 Temporary Workarounds

Restrict User Management Permissions

all

Limit User Management permissions to only essential, trusted administrators to reduce attack surface.

Disable SMS Notifications

linux

Temporarily disable SMS notification functionality if not required for operations.

omd config set APACHE_TCP_ADDR 0
omd restart apache

🧯 If You Can't Patch

Implement strict access controls to limit User Management permissions to minimum necessary personnel
Monitor and audit all user management activities and SMS notification configurations for suspicious changes

🔍 How to Verify

Check if Vulnerable:

Check Checkmk version: omd version. If version is <= 2.1.0p10, <= 2.0.0p27, or <= 1.6.0p29, system is vulnerable.

Check Version:

omd version

Verify Fix Applied:

Verify version is >= 2.1.0p11, >= 2.0.0p28, or >= 1.6.0p30. Test SMS notification functionality with safe test commands.

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in Checkmk logs
Suspicious SMS notification configuration changes
Multiple failed authentication attempts followed by successful login

Network Indicators:

Unexpected outbound connections from Checkmk server
Unusual command and control traffic patterns

SIEM Query:

source="checkmk.log" AND ("sms" OR "notification") AND ("exec" OR "system" OR "command")

📊 Metadata

CVE ID: CVE-2022-46303

CVSS v3 Score: 8.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-20

Published: February 20, 2023

Last Updated: November 21, 2024

🔗 References

https://checkmk.com/werk/14381 Mitigation,Vendor Advisory
https://checkmk.com/werk/14381 Mitigation,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk