CVE-2024-0670

8.8 HIGH

📋 TL;DR

This vulnerability allows local users on Windows systems running vulnerable Checkmk agent plugins to escalate privileges to SYSTEM level. It affects Checkmk monitoring installations where the Windows agent plugin is deployed. Attackers with local access can exploit this to gain full control of affected systems.

💻 Affected Systems

Products:

Checkmk Windows Agent Plugin

Versions: Checkmk versions before 2.2.0p23, before 2.1.0p40, and all 2.0.0 versions (EOL)

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Windows systems with Checkmk agent plugin installed. Linux/Unix systems are not affected.

📦 What is this software?

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, enabling installation of persistent malware, credential theft, lateral movement, and data exfiltration.

🟠

Likely Case

Local privilege escalation allowing attackers to bypass security controls, install additional tools, and maintain persistence on compromised systems.

🟢

If Mitigated

Limited impact if proper access controls, endpoint protection, and monitoring are in place to detect and block privilege escalation attempts.

🌐 Internet-Facing: LOW - This requires local access to the system, not directly exploitable over the internet.

🏢 Internal Only: HIGH - Internal attackers or compromised accounts can exploit this to gain full system control and move laterally.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit details are publicly disclosed in the Full Disclosure mailing list. Requires local user access but no special privileges to initiate.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2.0p23, 2.1.0p40, or later

Vendor Advisory: https://checkmk.com/werk/16361

Restart Required: Yes

Instructions:

1. Update Checkmk to version 2.2.0p23 or 2.1.0p40 or later. 2. Update Windows agent plugins on all monitored Windows systems. 3. Restart Checkmk services and Windows agents.

🔧 Temporary Workarounds

Restrict Local Access

windows

Limit local user access to systems running Checkmk Windows agent to trusted administrators only.

Remove Unnecessary Privileges

windows

Review and reduce local user privileges on affected Windows systems.

🧯 If You Can't Patch

Implement strict access controls to limit who can log into affected Windows systems
Deploy endpoint detection and response (EDR) solutions to monitor for privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check Checkmk version on server and verify Windows agent plugin version on client systems. Vulnerable if version is below 2.2.0p23 for 2.2.x, below 2.1.0p40 for 2.1.x, or any 2.0.0 version.

Check Version:

On Checkmk server: 'omd version'. On Windows: Check Checkmk agent service properties or installed programs list.

Verify Fix Applied:

Confirm Checkmk server is updated to 2.2.0p23 or 2.1.0p40 or later, and Windows agents show updated plugin versions.

📡 Detection & Monitoring

Log Indicators:

Windows Event Logs showing unexpected privilege escalation, Checkmk agent service restarts, or unusual process creation with SYSTEM privileges

Network Indicators:

Unusual outbound connections from Windows systems after local user login

SIEM Query:

EventID=4688 AND NewProcessName LIKE '%cmd.exe%' OR '%powershell.exe%' AND SubjectUserName NOT IN (admin_list) AND TokenElevationType=%%1938

📊 Metadata

CVE ID: CVE-2024-0670

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-427

Published: March 11, 2024

Last Updated: December 9, 2024

🔗 References

http://seclists.org/fulldisclosure/2024/Mar/29 Mailing List
https://checkmk.com/werk/16361 Vendor Advisory
http://seclists.org/fulldisclosure/2024/Mar/29 Mailing List
https://checkmk.com/werk/16361 Vendor Advisory