Werk #17011: Fix local IP restriction of internal HTTP endpoints

Component Setup
Title Fix local IP restriction of internal HTTP endpoints
Date Jun 19, 2024
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.4.0b1 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0p11 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0p32 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.1.0p47 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)

Checkmk has some complex functionalities that are hidden behind an internal HTTP endpoint page. These pages are only meant to be accessed by internal processes, e.g. a cron runner or creating diagrams for notifications. Therefore these pages are protected to be only accessible locally. In order to recognize the client IP through the usage of a reverse proxy Checkmk uses the X-Forwarded-For header. That header is added and complemented by mod_proxy and usually trustworthy. When the site apache is exposed directly to the network though (e.g. the default docker setup) no proxy apache is there to curate this header. To mitigate this the site apache is supposed to filter these internal page URIs to be only accessible by localhost. This mitigation failed due to some outdated configuration and wrong configuration ordering.

This only affects systems which expose the site apache port to the network typically 5000. If you run Checkmk behind a reverse proxy (the default if you installed a installation package) you are not affected!

This vulnerability was identified in a commissioned penetration test conducted by PS Positive Security GmbH.

Affected Versions:

  • 2.3.0
  • 2.2.0
  • 2.1.0
  • 2.0.0 (probably older versions as well)

Mitigations: You can add the following configuration to the site apache configuration, e.g. etc/apache/conf.d/zzz_werk17011.conf:

<Location "/###SITE###/check_mk/run_cron.py">
    Order deny,allow
    Deny from all
    Require local
    Satisfy any
</Location>
#  Webservice for graph images used by notifications
<Location "/###SITE###/check_mk/ajax_graph_images.py">
    Order deny,allow
    Deny from all
    Require local
    Satisfy any
</Location>

Indicators of Compromise: You can check the apache access log var/log/apache/access_log for calls to run_cron.py or ajax_graph_images.py from network hosts. E.g. grep --extended-regexp "^[^-].+(run_cron|ajax_graph_images.py)" var/log/apache/access_log

Vulnerability Management: We have rated the issue with a CVSS Score of 5.3 (Medium) with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. We assigned CVE-2024-6163 to this vulnerability.

Changes: This Werk fixes the configuration syntax and ordering.

To the list of all Werks