Werk #18954: Fix rogue remote site can hijack sessions
| Component | Setup | ||||
| Title | Fix rogue remote site can hijack sessions | ||||
| Date | Mar 3, 2026 | ||||
| Level | Trivial Change | ||||
| Class | Security Fix | ||||
| Compatibility | Compatible - no manual interaction needed | ||||
| Checkmk versions & editions |
|
Previously the secret which is used to sign session cookies was copied to remote sites with config sync enabled. A legacy user-sync automation also existed that would also synchronize user sessions. Knowledge of the signing secret and a valid session ID allows the creation of a valid cookie for that session. Consequently, administrators of remote sites were able to hijack sessions on the central site.
We thank Lisa Gnedt (SBA Research) for reporting this issue.
Who's Affected:
Affected are config sync enabled distributed setups in which one remote site might be compromised by some entity.
Affected Versions:
- 2.4.0
- 2.3.0
- 2.2.0 (EOL)
Indicators of Compromise:
The legacy sync automation results in an http request with &command=push-profile& in its path.
If there are trustworthy web logs, this pattern would indicate an attack.
Vulnerability Management:
We have rated the issue with a CVSS Score of 7.3 High (CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) and assigned CVE-2025-64998.