Dear Checkmk Community,
We would like to inform you that there was a critical security vulnerability that was recently identified in the Checkmk Appliance.
The vulnerability affects all releases of the Checkmk Appliance before 1.4.17 and all models (rack, virt).
An unauthenticated attacker would be able to retrieve the device secret from the web configuration interface of the appliance and could bypass the authentication. This vulnerability has been rated as severity rating Critical (10.0), according to the scale published on the Common Vulnerability Scoring System (CVSS).
The vulnerability was identified during an internal security audit. Once we became aware of the issue, we took immediate action to investigate the matter and published the release 1.4.17 to fix the issue.
In order to fix the vulnerability in your environment, we highly recommend to update your Checkmk appliance installations to 1.4.17 or newer.
Details can be found here: SEC: Fix web configuration authentication bypass
The version can be downloaded here: Download Checkmk for free | Checkmk
So far we do not have any evidence to suggest that this vulnerability was used for attacking a productive system. If you think your system may have been compromised, please contact us immediately.
We want you to know that we take this issue very seriously. We are conducting a thorough review of our internal processes to ensure this does not occur again for you and our other customers. If you have any questions, please feel free to contact us using your support contact.
Faye, on behalf of the tribe29 team