CVE-2024-13722
📋 TL;DR
The NagVis component in Checkmk is vulnerable to reflected cross-site scripting (XSS), allowing attackers to craft malicious links that execute arbitrary JavaScript in victims' browsers. This affects both authenticated and unauthenticated users who click the malicious link. The vulnerability enables session hijacking, credential theft, and client-side attacks.
💻 Affected Systems
- Checkmk with NagVis component
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator credentials, hijack sessions, deploy malware to users' systems, or pivot to internal network compromise.
Likely Case
Session hijacking leading to unauthorized access, credential theft from users, or defacement of the NagVis interface.
If Mitigated
Limited impact with proper input validation, output encoding, and user awareness about suspicious links.
🎯 Exploit Status
Exploitation requires user interaction (clicking a malicious link). Public proof-of-concept details are available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Checkmk 2.3.0p10
Vendor Advisory: https://checkmk.com/werks?version=2.3.0p10
Restart Required: Yes
Instructions:
1. Backup your Checkmk configuration. 2. Update Checkmk to version 2.3.0p10 or later using your package manager. 3. Restart the Checkmk services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Input Validation and Output Encoding
allImplement server-side input validation and output encoding for NagVis parameters to prevent XSS payload execution.
Modify NagVis source code to sanitize user input and encode output. Consult NagVis documentation for specific implementation.
Web Application Firewall (WAF)
allDeploy a WAF with XSS protection rules to block malicious requests targeting the NagVis component.
Configure WAF rules to detect and block XSS patterns in NagVis URLs and parameters.
🧯 If You Can't Patch
- Disable the NagVis component if not required for operations.
- Implement strict Content Security Policy (CSP) headers to mitigate script execution from untrusted sources.
🔍 How to Verify
Check if Vulnerable:
Check your Checkmk version. If it's below 2.3.0p10 and NagVis is enabled, you are vulnerable.Check Version:
omd versionVerify Fix Applied:
After updating to 2.3.0p10 or later, verify the version and test NagVis functionality to ensure it works without XSS vulnerabilities.📡 Detection & Monitoring
Log Indicators:
- Unusual URL parameters in NagVis access logs containing JavaScript or HTML payloads
- Multiple failed XSS attempts in web server logs
Network Indicators:
- HTTP requests to NagVis with suspicious query strings containing script tags or JavaScript code
SIEM Query:
source="web_access_logs" AND uri_path="/nagvis" AND (query_string CONTAINS "<script>" OR query_string CONTAINS "javascript:")🔗 References
- https://checkmk.com/werks?version=2.3.0p10
- https://korelogic.com/Resources/Advisories/KL-001-2025-001.txt
- https://www.nagvis.org/downloads/changelog/1.9.42
- http://seclists.org/fulldisclosure/2025/Feb/3
- http://www.openwall.com/lists/oss-security/2025/02/04/3
- https://lists.debian.org/debian-lts-announce/2025/05/msg00000.html
- https://korelogic.com/Resources/Advisories/KL-001-2025-001.txt
