CVE-2024-6572 in Checkmk
Summary
by MITRE • 09/09/2024
Improper host key checking in active check 'Check SFTP Service' and special agent 'VNX quotas and filesystem' in Checkmk before Checkmk 2.3.0p15, 2.2.0p33, 2.1.0p48 and 2.0.0 (EOL) allows man-in-the-middle attackers to intercept traffic
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 09/10/2024
The vulnerability identified as CVE-2024-6572 represents a critical security flaw in Checkmk monitoring software that affects multiple versions including 2.3.0p15, 2.2.0p33, 2.1.0p48, and the end-of-life 2.0.0 release. This issue specifically impacts the active check 'Check SFTP Service' and the special agent 'VNX quotas and filesystem' components within the monitoring framework. The flaw manifests as improper host key checking mechanisms that fail to adequately validate the authenticity of remote hosts during SFTP connections, creating a significant attack vector for man-in-the-middle adversaries who can intercept and potentially manipulate network traffic between monitoring agents and target systems.
The technical implementation of this vulnerability stems from inadequate cryptographic host verification procedures within the SFTP monitoring checks. When these components establish connections to remote SFTP servers, they do not properly verify the host keys presented by the remote systems, allowing attackers to present forged certificates or intercept communications without detection. This weakness directly violates fundamental security principles of public key infrastructure and cryptographic verification, creating a pathway for attackers to capture sensitive monitoring data, credentials, or manipulate system status information. The vulnerability falls under CWE-310, which specifically addresses cryptographic issues related to key management and authentication failures, and aligns with ATT&CK technique T1566 for credential harvesting through man-in-the-middle attacks.
The operational impact of this vulnerability extends beyond simple data interception, as it undermines the integrity and trustworthiness of the entire monitoring infrastructure. Attackers could potentially gain access to critical system information, manipulate monitoring alerts, or establish persistent access points within network environments. The affected components are commonly used in enterprise environments where monitoring SFTP services and storage systems is critical for operational security, making this vulnerability particularly dangerous. Organizations relying on Checkmk for system monitoring may unknowingly provide attackers with a legitimate access point to intercept communications between monitoring agents and target systems, potentially compromising the security posture of entire network infrastructures.
Organizations should immediately upgrade to patched versions of Checkmk that address this host key verification weakness, ensuring all affected monitoring components implement proper cryptographic host validation. The recommended mitigation strategy involves updating to Checkmk versions 2.3.0p15, 2.2.0p33, or 2.1.0p48, with the end-of-life 2.0.0 version requiring immediate replacement due to its lack of security updates. Additionally, network administrators should implement network-level monitoring to detect unusual traffic patterns that might indicate interception attempts, and consider deploying additional cryptographic validation measures such as certificate pinning for critical SFTP connections. Organizations should also review their existing monitoring configurations to ensure that host key verification is properly enforced across all SFTP service checks and storage monitoring agents, as the vulnerability specifically targets these components within the Checkmk framework.