Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <0a8647b5-fd5c-4a63-ab8b-95c8268a10c1@korelogic.com>
Date: Tue, 4 Feb 2025 16:20:30 -0600
From: KoreLogic Disclosures <disclosures@...elogic.com>
To: oss-security@...ts.openwall.com
Subject: KL-001-2025-001: Checkmk NagVis Reflected Cross-site Scripting

KL-001-2025-001: Checkmk NagVis Reflected Cross-site Scripting

Title: Checkmk NagVis Reflected Cross-site Scripting
Advisory ID: KL-001-2025-001
Publication Date: 2025-02-04
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2025-001.txt


1. Vulnerability Details

      Affected Vendor: Checkmk
      Affected Product: Checkmk/NagVis
      Affected Version: Checkmk 2.3.0p2, NagVis 1.9.40
      Platform: GNU/Linux
      CWE Classification: CWE-79: Improper Neutralization of Input
                          During Web Page Generation
                          ('Cross-site Scripting')
      CVE ID: CVE-2024-13722


2. Vulnerability Description

      The "NagVis" component within Checkmk is vulnerable to reflected
      cross-site scripting. An attacker can craft a malicious link
      that will execute arbitrary JavaScript in the context of the
      browser once clicked. The attack can be performed on both
      authenticated and unauthenticated users.

3. Technical Description

      Checkmk version 2.3.0.p2 ships with a component named
      "NagVis", which is an addon for the network management
      system "Nagios". When receiving an HTTP POST request for the
      "userfiles/gadgets/std_table.php" file, the query and body
      parameters contained within the request are processed by the
      script. Specifically, the script accepts the "members" body
      parameter, which is then parsed as a JSON object.

      The "summary_state" property of the "members" JSON object is
      reflected into the page response without validation. A POST
      request containing a malicious "summary_state" value can inject
      arbitrary JavaScript via the HTML "script" tag into the page
      response. When rendered in a browser, the attacker controlled
      JavaScript executes, enabling an attacker to perform actions
      as the currently logged-in user.

      The "members" JSON object must be supplied via a POST
      body parameter, so exploitation of this issue relies
      on a cross-origin HTTP request originating from an
      attacker controlled web page. The malicious website
      (e.g. https://attacker.com/foo.html) can contain an HTML
      "form" tag with an "action" attribute pointing at the URL
      for the "std_table.php" script.  Additional JavaScript on the
      attacker controlled page can automatically submit the form once
      a user loads the page. The browser will send a POST request
      cross-origin and redirect the browser to the HTTP response of
      the POST request, thereby executing the malicious JavaScript
      on the NagVis web page.

4. Mitigation and Remediation Recommendation

      This issue has been remediated in Nagvis 1.9.42 and Checkmk
      2.3.0p10, both release 2024-07-15.


5. Credit

      This vulnerability was discovered by Jaggar Henry and Jim
      Becher of KoreLogic, Inc.


6. Disclosure Timeline

      2024-06-11 : KoreLogic reports vulnerability details to Checkmk
                   Security Team.
      2024-06-12 : Checkmk acknowledges receipt.
      2024-06-21 : Checkmk requests an extension of embargo to
                   90 business days.
      2024-07-15 : Checkmk/NagVis release versions featuring
                   remediation for the reported vulnerability.
                   Checkmk neglects to inform KoreLogic of this event.
      2024-11-22 : KoreLogic requests an update from Checkmk but
                   receives no reply.
      2025-02-04 : KoreLogic public disclosure.


7. Proof of Concept

      1) Serve the following HTML from a web server (e.g. python -m http.server)
      2) View the URL serving the file in a web browser:
          <html>
               <form method='POST' 
action='http://checkmkhost/cmk/nagvis/userfiles/gadgets/std_table.php?object_id=1337&scale=100&opts=show_service_states=foo;group_states=0;&type=dyngroup&object_types=host&state=FL'>
                    <input type='hidden' name='members' 
value='[{"summary_in_downtime":1,"summary_state":"\"><script>eval(window.name)</script>"}]'>
               </form>

               <script>
                    window.onload = function() {
                         window.name = `prompt('KoreLogic')`;
                         document.forms[0].submit();
                    }
               </script>
          </html>


The contents of this advisory are copyright(c) 2025
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy


Download attachment "OpenPGP_signature.asc" of type "application/pgp-signature" (841 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.