Full Report
CheckMk is an IT infrastructure monitoring solution written in Python and C++, similar to Zabbix and Icinga. The architecture has an Apache reverse proxy which directs request to several web servers. First, the CheckMk GUI which is a Python WSGI application or the PHP wrapper to integrate with the open source implementation of it NagVis. These contain the core monitoring services. Using this, Livestatus Query Language can be used in order to query information about the devices being monitored. Additionally, another service (agent-receiver) is used for routing registered agents and collecting info on them. First, they found a server-side request forgery in the agent-receiver. This allows services only accessible on localhost to be hit. Although this requests an auth header, it only checks that it is present before forwarding request later. The user host name is appended to the target URL without any sanitization, giving use an SSRF bug. This is limited to a GET request to ONLY the checkmk GUI though. The checkmk GUI has a few unauthenticated endpoints from a proxied request. One of these is for handling ajava graph images. The query is performed using the LQL interface mentioned before. There is a parameter that an attacker controls that gets put into the query. Since the query language is deliminated by newlines, an attacker can inject newlines to change the query being made! We can even stack queries as well. Security mostly assumes that you didn't get through the first door. Once you are inside, the boundaries become blurred and things become easier. In the next post, they authors dive into HOW this arbitrary LQL query making leads to more issues.
Analysis Summary
# Vulnerability: Unauthenticated Livestatus Query Injection via SSRF and LF Injection
## CVE Details
- **CVE ID:** CVE-2022-48321 (SSRF), CVE-2022-47909 (LF Injection)
- **CVSS Score:** 5.0 (Medium) and 6.8 (Medium/High)
- **CWE:** CWE-918 (Server-Side Request Forgery), CWE-93 (CRLF Injection)
## Affected Systems
- **Products:** Checkmk (Raw Edition verified; Enterprise Editions likely affected)
- **Versions:** 2.1.0p10 and lower
- **Configurations:** Default installations exposing TCP port 80 (Apache reverse proxy) and TCP port 8000 (agent-receiver).
## Vulnerability Description
This vulnerability chain allows an unauthenticated attacker to execute arbitrary **Livestatus Query Language (LQL)** queries against the monitoring core.
1. **SSRF (CVE-2022-48321):** The `agent-receiver` service (port 8000) incorrectly appends a user-provided hostname to a target URL without sanitization. While it requires an authorization header, it only checks for the header's presence, not its validity. This allows an attacker to proxy GET requests to the internal Checkmk GUI (localhost) which is otherwise shielded by a reverse proxy.
2. **Line Feed (LF) Injection (CVE-2022-47909):** The Checkmk GUI contains an unauthenticated endpoint for handling `ajax_graph_images`. This endpoint accepts a `force_authuser` parameter that is passed into an LQL query. Because LQL is newline-delimited, an attacker can inject `\n` characters to terminate the original query and "stack" new, arbitrary LQL commands.
## Exploitation
- **Status:** PoC available (documented in research blog); used as part of a larger RCE chain.
- **Complexity:** Medium
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Ability to query all monitored host data, IP addresses, and status info).
- **Integrity:** Medium (Potential to manipulate monitoring states depending on LQL capabilities).
- **Availability:** Low (Primarily used as a stepping stone for further attacks).
## Remediation
### Patches
- **Checkmk version 2.1.0p12** or higher resolves all identified issues in this chain.
### Workarounds
- Restrict access to TCP port 8000 (agent-receiver) to trusted IP ranges only.
- Implement strict firewall rules to ensure the internal Apache (typically port 5000) is truly unreachable from external interfaces.
## Detection
- **Indicators of Compromise:**
- Unusual GET requests in `agent-receiver` logs containing URL-encoded characters or unexpected hostnames.
- LQL logs (if enabled) showing multiple commands within a single request or queries originating from unexpected internal components.
- **Detection Methods:** Monitor for `%0A` or `%0D` sequences in the `force_authuser` parameter within web server access logs.
## References
- **Vendor Advisory:** [Checkmk Werk 14384]
- **Research:** [https://www.sonarsource.com/blog/checkmk-remote-code-execution-part-1/](https://www.sonarsource.com/blog/checkmk-remote-code-execution-part-1/)