Critical Security Advisory for Icinga 2 (CVE-2024-49369)
Applying security updates is urged as full report with technical details of the vulnerability are expected
Summary
Applying security updates is urged as full report with technical details of the vulnerability are expected
Affected platforms
The following platforms are known to be affected:
Threat details
Introduction
Icinga has released a blog post and a security advisory that addresses a flaw in TLS certificate validation for Icinga 2, a monitoring system that checks the availability of network resources, notifies users of outages, and generates performance data for reporting.
The vulnerability known as CVE-2024-49369 is an 'improper certificate validation' vulnerability and has a CVSSv3 score of 9.8. An attacker could exploit this vulnerability to impersonate a trusted cluster node or an application programming interface (API) user that uses TLS client certificates for authentication.
By impersonating a trusted cluster node, an attacker can supply a malicious configuration update to other nodes, instruct another node to execute malicious commands, or retrieve sensitive information. When impersonating API users, the impact depends on the permissions, but in some cases it may allow an attacker to gain permissions to update configurations or execute commands.
Proof-of-concept details expected soon
In the security advisory, Icinga notes that the full report with more details on the vulnerability (including how to reproduce it) will be released on 26 November 2024.
Remediation advice
Affected organisations are encouraged to read Icinga's blog post Critical Icinga 2 Security Releases: 2.14.3, 2.13.10, 2.12.11, 2.11.12 (CVE-2024-49369), review security advisory GHSA-j7wq-r9mg-9wpv, and apply any relevant patches as soon as practicable.
Definitive source of threat updates
Last edited: 14 November 2024 3:11 pm