Today, we are releasing security updates for Icinga 2 fixing a critical vulnerability that allowed to bypass the certificate validation for JSON-RPC and HTTP API connections.
Impact
The TLS certificate validation in all Icinga 2 versions starting from 2.4.0 was flawed, allowing an attacker to impersonate both trusted cluster nodes as well as any API users that use TLS client certificates for authentication (ApiUser objects with the client_cn attribute set).
By impersonating a trusted cluster node like a master or satellite, an attacker can supply a malicious configuration update to other nodes (if the accept_config attribute of the ApiListener object is set to true) or instruct the other node to execute malicious commands directly (if the accept_commands attribute of the ApiListener object is set to true). These attributes are expected to be set in most distributed installations, but in case they are not, an attacker can still retrieve potentially sensitive information.
When impersonating API users, the impact depends on the permissions configured for the individual users using certificate authentication. This may include permissions like updating the configuration and executing commands as well.
We expect most installations to be affected by this vulnerability and recommend upgrading as soon as possible.
Patches
The following fixed versions were released:
- v2.14.3
- v2.13.10
- v2.12.11
- v2.11.12
The source code for the new versions can be found in our Git repository. Updated binary packages are available on packages.icinga.com and the Icinga for Windows repository. Updated container images are available on Docker Hub. Updated Helm Charts are provided in the corresponding repository.
Given the severity of the issue, users are advised to upgrade immediately.
Workarounds
There is no known way to work around this in Icinga 2. Access to the Icinga 2 API port can be restricted using firewalls to reduce the impact.
Details
In order to allow some time for patching, the full report with more details on the vulnerability including how to reproduce it will be released in two weeks on 2024-11-26.
Acknowledgements
We would like to thank Finn Steglich for finding and reporting this issue.
References
- GitHub Security Advisory
- Patch (source code): master branch, v2.14.3, v2.13.10, v2.12.11, v2.11.12
For more information
If you have any questions or comments about this advisory, please ask in our community forum or email us at info@icinga.com.
For reporting possible security issues, please see the information on our website.
