CVE-2024-28829

Q: What is the severity of CVE-2024-28829?

CVE-2024-28829 has a CVSS score of 7.8 (HIGH). This vulnerability in the mk_informix Checkmk agent plugin allows local users to escalate privileges due to least privilege violations and reliance on untrusted inputs. It affects Checkmk installations with the mk_informix plugin enabled, allowing attackers with local access to gain elevated system privileges.

7.8 HIGH

📋 TL;DR

This vulnerability in the mk_informix Checkmk agent plugin allows local users to escalate privileges due to least privilege violations and reliance on untrusted inputs. It affects Checkmk installations with the mk_informix plugin enabled, allowing attackers with local access to gain elevated system privileges.

💻 Affected Systems

Products:

Checkmk

Versions: Checkmk versions before 2.3.0p12, 2.2.0p32, 2.1.0p47, and all 2.0.0 versions (EOL)

Operating Systems: Linux, Unix-based systems running Checkmk

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with the mk_informix agent plugin enabled. Checkmk 2.0.0 is end-of-life and will not receive patches.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains root/system administrator privileges, enabling complete system compromise, data theft, and lateral movement within the environment.

🟠

Likely Case

Local user with standard privileges escalates to administrative privileges, potentially installing malware, accessing sensitive data, or modifying system configurations.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to isolated systems with quick detection and remediation.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local system access.

🏢 Internal Only: HIGH - Internal users with local access to Checkmk servers can exploit this to gain administrative privileges.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access to the system. The vulnerability involves privilege boundary violations and untrusted input handling in the mk_informix plugin.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Checkmk 2.3.0p12, 2.2.0p32, or 2.1.0p47

Vendor Advisory: https://checkmk.com/werk/16249

Restart Required: Yes

Instructions:

1. Identify your Checkmk version. 2. Upgrade to the patched version: 2.3.0p12, 2.2.0p32, or 2.1.0p47. 3. Restart Checkmk services. 4. For 2.0.0, upgrade to a supported version as it is EOL.

🔧 Temporary Workarounds

Disable mk_informix plugin

linux

Temporarily disable the vulnerable mk_informix agent plugin if not required

omd config set AGENT mk_informix off
omd restart

Restrict local access

all

Implement strict access controls to limit local user access to Checkmk servers

🧯 If You Can't Patch

Disable the mk_informix plugin if not essential for monitoring
Implement strict privilege separation and monitor for privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check Checkmk version with 'omd version' and verify if mk_informix plugin is enabled in agent configuration

Check Version:

omd version

Verify Fix Applied:

Verify version is 2.3.0p12, 2.2.0p32, or 2.1.0p47 or higher, and test privilege escalation attempts fail

📡 Detection & Monitoring

Log Indicators:

Unusual privilege escalation attempts
Suspicious mk_informix plugin activity
Failed sudo/su attempts from Checkmk context

Network Indicators:

N/A - local vulnerability

SIEM Query:

source="checkmk.log" AND ("privilege" OR "escalation" OR "mk_informix")

📊 Metadata

CVE ID: CVE-2024-28829

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-272

Published: August 20, 2024

Last Updated: December 3, 2024

🔗 References

https://checkmk.com/werk/16249 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk

Checkmk by Checkmk