CVE-2024-47094
📋 TL;DR
This vulnerability in Checkmk monitoring software causes remote site secrets to be written to web log files accessible to local site users. Attackers with local access can read sensitive credentials from log files, potentially compromising remote monitoring connections. Affects Checkmk versions before 2.3.0p22, 2.2.0p37, and 2.1.0p50.
💻 Affected Systems
- Checkmk
📦 What is this software?
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
Checkmk by Checkmk
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain access to remote site credentials, enabling them to compromise connected monitoring infrastructure, manipulate monitoring data, or pivot to other systems.
Likely Case
Local users or attackers with local access extract sensitive credentials from log files, potentially gaining unauthorized access to remote monitoring sites.
If Mitigated
With proper log file permissions and access controls, only authorized administrators can access logs, limiting exposure.
🎯 Exploit Status
Exploitation requires local access to read log files. No authentication bypass needed if attacker already has local access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.3.0p22, 2.2.0p37, or 2.1.0p50
Vendor Advisory: https://checkmk.com/werk/17342
Restart Required: Yes
Instructions:
1. Backup your Checkmk configuration. 2. Update to the patched version using your package manager (apt/yum) or Checkmk's omd command. 3. Restart the Checkmk service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict log file permissions
linuxChange permissions on Checkmk web log files to restrict access to authorized users only.
chmod 640 /omd/sites/[SITE]/var/log/web.log
chown root:root /omd/sites/[SITE]/var/log/web.log
Rotate and secure logs
linuxImplement log rotation and secure storage to limit exposure of sensitive information.
Configure logrotate for Checkmk logs with secure permissions
🧯 If You Can't Patch
- Implement strict access controls on log directories and files
- Monitor log file access attempts and implement alerting for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check Checkmk version: omd version or check_mk --version. If version is below 2.3.0p22, 2.2.0p37, or 2.1.0p50, you are vulnerable.Check Version:
omd versionVerify Fix Applied:
Verify version is 2.3.0p22 or higher (2.2.0p37 for 2.2.x, 2.1.0p50 for 2.1.x). Check that no sensitive credentials appear in recent web logs.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to web.log files
- Sensitive strings like 'password', 'secret', or 'token' in log entries
Network Indicators:
- Unusual authentication attempts to remote monitoring sites from the Checkmk server
SIEM Query:
source="checkmk_web.log" AND ("password" OR "secret" OR "token")