Icinga for Windows – Security Release for 1.3.x, 1.4.x and 1.5.x

by | Jul 9, 2021

Today we have published a security release for Icinga for Windows for the versions 1.3.x, 1.4.x and 1.5.x. If you are running one of these versions or even older than 1.3.x and use the Icinga for Windows service, we highly recommend updating to the lastest version.

What Happened

The path pointing to the Icinga for Windows service binary icinga-service.exe is not encapsulated inside double quotes " during creation. This might open a vulnerability and provide an attack vector for attackers already having access to the machine. In worst case, attackers can place a binary file on the location of the path where the whitespace stops. This binary is then executed with the privileges the service is running with, which could cause a security issue.

You can read this blogpost by Jeff Liford to get a better idea on the problem.

If you are not using the Icinga for Windows service, you do not need to worry right now, should however still update in case you want to use the feature later on.

How to resolve it

We published a knowledge base entry for this, including scripts to test if you are affected by this vulnerability and to update your service installation after you updated your Icinga for Windows version.

All three packages are already released and can be downloaded from GitHub.

 

Thank you for bringing this to our attention. If you have any questions or require further information, please feel free to reach out to us.

You May Also Like…

Releasing Icinga Director v1.11.2

Releasing Icinga Director v1.11.2

We are pleased to announce the release of Icinga Director version 1.11.2, which addresses several important bug fixes...

Releasing Icinga Web v2.12.2

Releasing Icinga Web v2.12.2

Today we’re announcing the general availability of Icinga Web v2.12.2. You can find all issues related to this release...

Subscribe to our Newsletter

A monthly digest of the latest Icinga news, releases, articles and community topics.