CVE-2023-6156

Q: How do I fix CVE-2023-6156?

1. Backup your Checkmk configuration. 2. Update to Checkmk 2.0.0p40, 2.1.0p37, or 2.2.0p15 or later. 3. Restart the Checkmk services. 4. Verify the update was successful.

Q: What is the severity of CVE-2023-6156?

CVE-2023-6156 has a CVSS score of 7.6 (HIGH). This vulnerability allows authorized users of Checkmk to execute arbitrary livestatus commands by exploiting improper neutralization of command delimiters in the availability timeline. Attackers with valid credentials can potentially execute unauthorized commands on the monitoring system. Affected versions include Checkmk <= 2.0.0p39, < 2.1.0p37, and < 2.2.0p15.

7.6 HIGH

📋 TL;DR

This vulnerability allows authorized users of Checkmk to execute arbitrary livestatus commands by exploiting improper neutralization of command delimiters in the availability timeline. Attackers with valid credentials can potentially execute unauthorized commands on the monitoring system. Affected versions include Checkmk <= 2.0.0p39, < 2.1.0p37, and < 2.2.0p15.

💻 Affected Systems

Products:

Checkmk

Versions: Checkmk <= 2.0.0p39, < 2.1.0p37, and < 2.2.0p15

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with authorized users who have access to the availability timeline feature. The vulnerability requires authentication to exploit.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Authorized malicious user gains full control of the monitoring system, executes arbitrary commands, accesses sensitive monitoring data, and potentially pivots to other systems in the environment.

🟠

Likely Case

Authorized user with limited privileges escalates their access to execute unauthorized livestatus commands, potentially disrupting monitoring or accessing sensitive system information.

🟢

If Mitigated

With proper access controls and network segmentation, impact is limited to the monitoring system itself without ability to pivot to production systems.

🌐 Internet-Facing: MEDIUM - If Checkmk web interface is exposed to the internet, authorized users could exploit this remotely, but authentication is required.

🏢 Internal Only: HIGH - Internal authorized users (including compromised accounts) can exploit this vulnerability to execute arbitrary commands on the monitoring system.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authorized user access. The vulnerability involves command injection through improper input sanitization in livestatus command delimiters.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Checkmk 2.0.0p40, 2.1.0p37, 2.2.0p15 and later

Vendor Advisory: https://checkmk.com/werk/16221

Restart Required: Yes

Instructions:

1. Backup your Checkmk configuration. 2. Update to Checkmk 2.0.0p40, 2.1.0p37, or 2.2.0p15 or later. 3. Restart the Checkmk services. 4. Verify the update was successful.

🔧 Temporary Workarounds

Restrict User Access

all

Limit access to the availability timeline feature to only essential users who require it for their duties.

Network Segmentation

all

Isolate the Checkmk monitoring system from production systems to limit potential lateral movement if exploited.

🧯 If You Can't Patch

Implement strict access controls and review user permissions for Checkmk
Monitor livestatus command logs for unusual activity and implement alerting

🔍 How to Verify

Check if Vulnerable:

Check your Checkmk version using 'omd version' command and compare against affected versions: <= 2.0.0p39, < 2.1.0p37, < 2.2.0p15

Check Version:

omd version

Verify Fix Applied:

After patching, verify version is 2.0.0p40+, 2.1.0p37+, or 2.2.0p15+ using 'omd version' command

📡 Detection & Monitoring

Log Indicators:

Unusual livestatus commands in Checkmk logs
Multiple failed authentication attempts followed by successful login and livestatus commands
Commands with unusual delimiters or special characters in availability timeline requests

Network Indicators:

Unusual livestatus API calls from user accounts
Multiple livestatus commands in quick succession from single user

SIEM Query:

source="checkmk" AND (livestatus_command="*;*" OR livestatus_command="*|*" OR livestatus_command="*&*")

📊 Metadata

CVE ID: CVE-2023-6156

CVSS v3 Score: 7.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

CWE: CWE-140

Published: November 22, 2023

Last Updated: November 21, 2024

🔗 References

https://checkmk.com/werk/16221 Vendor Advisory
https://checkmk.com/werk/16221 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk