back to website

Werk #17348: Disable access to check_mk/local/agents/

Component Site management
Title Disable access to check_mk/local/agents/
Date Apr 8, 2025
Level Trivial Change
Class Security Fix
Compatibility Incompatible - Manual interaction might be required
Checkmk versions & editions
2.5.0b1
Not yet released 		Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.4.0b6 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)

Checkmk serves the builtin agents and plugins without authentication via http(s) under http(s)://fqdn/sitename/check_mk/agents/. This allows customers i.a. to install an default agent very easy. Customized agents that are stored in local/share/check_mk/agents are served also without authentication on http(s)://fqdn/sitename/check_mk/local/agents/.

If customers use the rule Deploy custom files with agent the same path is used. These custom files are therefore exposed without authentication. We discourage to transfer/deploy secrets with these files but we must also see what the reality in certain environment is. Therefore this path is no longer accessible via http(s).

If you rely on that path being accessible you can add a custom configuration file to the site apache, e.g. etc/apache/conf.d/000_custom.conf. (Please be aware that the following config must be placed in front of the other config files.)

Alias /sitename/check_mk/local/agents /omd/sites/sitename/local/share/check_mk/agents
<Directory /omd/sites/sitename/local/share/check_mk/agents>
  Options +Indexes
  Order deny,allow
  allow from all
</Directory>

We thank Norman Kühnberger (IT Südwestfalen GmbH) for reporting this issue.

Affected Versions:

  • 2.4.0 (beta)
  • 2.3.0
  • 2.2.0
  • 2.1.0 (EOL)

Mitigations:

This is a major change and will most likely not be backported to 2.3.0 and 2.2.0.

You should review all files in local/share/check_mk/agents and make sure these do not contain any sensitive information.

If you want to disable the path manually you can also add a custom config file e.g. etc/apache/conf.d/000_werk_17348.conf with the following content:

Redirect gone /sitename/check_mk/local/agents

In case you manually disable this path we recommend to add a http check for that path to monitor that.

Indicators of Compromise:

If you reviewed your files in local/share/check_mk/agents and they contained sensitive data you can check if those files were accessed in the apache access log in var/log/apache/access_log. Please be aware that these logs are rotated.

Vulnerability Management:

We have rated the issue with a CVSS Score of 6.3 Medium (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N) and assigned CVE-2025-3506.

To the list of all Werks

The Checkmk logo (formerly known as Check_MK) is a trademark of Checkmk GmbH. ©2025 Checkmk GmbH. All rights reserved.

Join our hybrid Monitoring Community event from May 20-22 in Munich and learn more about the latest Checkmk features and our roadmap at the Checkmk Conference #11

Register now