Login Sign Up

CVE-2023-31208

8.3 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows authorized users of Checkmk's RestAPI to execute arbitrary livestatus commands due to improper input sanitization. Attackers with valid credentials can potentially execute commands on the underlying system. Affected users include anyone running vulnerable Checkmk versions with RestAPI enabled.

💻 Affected Systems

Products:
  • Checkmk
Versions: Checkmk < 2.0.0p36, < 2.1.0p28, and < 2.2.0b8 (beta)
Operating Systems: Linux-based systems running Checkmk
Default Config Vulnerable: ⚠️ Yes
Notes: Requires RestAPI to be enabled and user authentication. Default installations with RestAPI enabled are vulnerable.

📦 What is this software?

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Tribe29

View all CVEs affecting Checkmk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via arbitrary command execution leading to data theft, lateral movement, or ransomware deployment.

🟠

Likely Case

Unauthorized data access, configuration changes, or service disruption within the monitoring environment.

🟢

If Mitigated

Limited impact if proper network segmentation and least privilege access controls are implemented.

🌐 Internet-Facing: HIGH if RestAPI is exposed to the internet, as authenticated attackers can exploit remotely.
🏢 Internal Only: HIGH as authorized internal users or compromised accounts can exploit the vulnerability.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires valid authentication to the RestAPI. The vulnerability is in command delimiter handling, making exploitation straightforward for authenticated attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.0p36, 2.1.0p28, or 2.2.0b8

Vendor Advisory: https://checkmk.com/werk/15191

Restart Required: Yes

Instructions:

1. Backup your Checkmk configuration. 2. Update to the patched version using your package manager (apt/yum) or Checkmk's update mechanism. 3. Restart Checkmk services. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable RestAPI

linux

Temporarily disable the RestAPI if not required, preventing exploitation.

omd stop [SITE]
Edit site configuration to disable RestAPI
omd start [SITE]

Restrict API Access

linux

Limit RestAPI access to trusted IP addresses using firewall rules.

iptables -A INPUT -p tcp --dport [API_PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [API_PORT] -j DROP

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Checkmk from critical systems.
  • Enforce least privilege access controls and monitor RestAPI usage for suspicious activity.

🔍 How to Verify

Check if Vulnerable:

Check Checkmk version: if running < 2.0.0p36, < 2.1.0p28, or < 2.2.0b8 and RestAPI is enabled, the system is vulnerable.

Check Version:

omd version

Verify Fix Applied:

Verify the version is updated to 2.0.0p36, 2.1.0p28, or 2.2.0b8 or later.

📡 Detection & Monitoring

Log Indicators:

  • Unusual livestatus command patterns in Checkmk logs
  • Multiple failed authentication attempts followed by successful API access

Network Indicators:

  • Unexpected outbound connections from Checkmk server
  • Unusual API request patterns to RestAPI endpoints

SIEM Query:

source="checkmk.log" AND "livestatus" AND ("command" OR "exec")

📊 Metadata

CVE ID: CVE-2023-31208
CVSS v3 Score: 8.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
CWE: CWE-140
Published: May 17, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-31208, you might also want to check these:

CVE-2025-32918 8.8

This vulnerability allows authenticated users to inject arbitrary Livestatus commands through the Re...

Same vulnerability type (CWE-140)
CVE-2025-47779 7.7

This vulnerability in Asterisk PBX allows authenticated attackers to spoof user identities when send...

Same vulnerability type (CWE-140)
CVE-2023-6156 7.6

This vulnerability allows authorized users of Checkmk to execute arbitrary livestatus commands by ex...

Same vulnerability type (CWE-140)