CVE-2022-46836

9.1 CRITICAL

Remote Code Execution

📋 TL;DR

This CVE describes a PHP code injection vulnerability in Checkmk's watolib auth.php and hosttags.php components. Attackers can inject and execute arbitrary PHP code when vulnerable components are accessed, leading to remote code execution. Affected users include all organizations running vulnerable Checkmk versions for infrastructure monitoring.

💻 Affected Systems

Products:

Checkmk

Versions: Checkmk <= 2.1.0p10, Checkmk <= 2.0.0p27, Checkmk <= 1.6.0p29

Operating Systems: Linux, Windows, All platforms running Checkmk

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of affected versions are vulnerable. The vulnerability exists in core watolib components used for authentication and host tagging.

📦 What is this software?

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands, steal sensitive monitoring data, pivot to other systems, and establish persistent backdoors.

🟠

Likely Case

Unauthorized access to monitoring data, modification of monitoring configurations, and potential lateral movement within the network.

🟢

If Mitigated

Limited impact with proper network segmentation, restricted access controls, and monitoring of suspicious PHP execution patterns.

🌐 Internet-Facing: HIGH - If Checkmk web interface is exposed to the internet, attackers can exploit this without internal access.

🏢 Internal Only: HIGH - Even internally, any user with access to the web interface could potentially exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authentication to the Checkmk web interface. Public technical details and proof-of-concept information are available in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Checkmk 2.1.0p11, 2.0.0p28, 1.6.0p30 and later

Vendor Advisory: https://checkmk.com/werk/14383

Restart Required: Yes

Instructions:

1. Backup your Checkmk configuration and data. 2. Update to the patched version using your distribution's package manager or Checkmk's update mechanism. 3. Restart Checkmk services. 4. Verify the update was successful.

🔧 Temporary Workarounds

Restrict Web Interface Access

linux

Limit access to Checkmk web interface to trusted IP addresses only using firewall rules or web server configuration.

# Example iptables rule: iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
# Example iptables rule: iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT

Disable Unnecessary Components

linux

Temporarily disable or restrict access to vulnerable watolib components if not required for operations.

# Rename vulnerable files: mv /omd/sites/SITE/share/check_mk/web/htdocs/wato/auth.php /omd/sites/SITE/share/check_mk/web/htdocs/wato/auth.php.disabled
mv /omd/sites/SITE/share/check_mk/web/htdocs/wato/hosttags.php /omd/sites/SITE/share/check_mk/web/htdocs/wato/hosttags.php.disabled

🧯 If You Can't Patch

Implement strict network segmentation to isolate Checkmk servers from critical systems
Enforce strong authentication and limit user privileges to minimum required access

🔍 How to Verify

Check if Vulnerable:

Check Checkmk version: omd version or check current version in web interface. Compare against affected versions.

Check Version:

omd version

Verify Fix Applied:

Verify version is patched: omd version should show 2.1.0p11, 2.0.0p28, or 1.6.0p30 or later. Test vulnerable endpoints for code injection.

📡 Detection & Monitoring

Log Indicators:

Unusual PHP execution patterns in Checkmk logs
Unexpected modifications to auth.php or hosttags.php files
Suspicious POST requests to vulnerable endpoints

Network Indicators:

Unusual outbound connections from Checkmk server
Traffic patterns indicating data exfiltration

SIEM Query:

source="checkmk.log" AND ("auth.php" OR "hosttags.php") AND (POST OR PUT) AND (php OR eval OR system)

📊 Metadata

CVE ID: CVE-2022-46836

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

CWE: CWE-20

Published: February 20, 2023

Last Updated: November 21, 2024

🔗 References

https://checkmk.com/werk/14383 Vendor Advisory
https://www.sonarsource.com/blog/checkmk-rce-chain-3/ Exploit,Third Party Advisory
https://checkmk.com/werk/14383 Vendor Advisory
https://www.sonarsource.com/blog/checkmk-rce-chain-3/ Exploit,Third Party Advisory