Today we have published a security release for Icinga for Windows for the versions 1.3.x, 1.4.x and 1.5.x. If you are running one of these versions or even older than 1.3.x and use the Icinga for Windows service, we highly recommend updating to the lastest version.
What Happened
The path pointing to the Icinga for Windows service binary icinga-service.exe
is not encapsulated inside double quotes "
during creation. This might open a vulnerability and provide an attack vector for attackers already having access to the machine. In worst case, attackers can place a binary file on the location of the path where the whitespace stops. This binary is then executed with the privileges the service is running with, which could cause a security issue.
You can read this blogpost by Jeff Liford to get a better idea on the problem.
If you are not using the Icinga for Windows service, you do not need to worry right now, should however still update in case you want to use the feature later on.
How to resolve it
We published a knowledge base entry for this, including scripts to test if you are affected by this vulnerability and to update your service installation after you updated your Icinga for Windows version.
All three packages are already released and can be downloaded from GitHub.
Thank you for bringing this to our attention. If you have any questions or require further information, please feel free to reach out to us.