Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 943329 (CVE-2024-49369)

Summary: <net-analyzer/icinga2-2.14.3: TLS certificate validation bypass
Product: Gentoo Security Reporter: Tomáš Mózes <hydrapolic>
Component: VulnerabilitiesAssignee: Matthew Thode ( prometheanfire ) <prometheanfire>
Status: RESOLVED FIXED    
Severity: normal CC: hydrapolic, prometheanfire, security
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://icinga.com/blog/2024/11/12/critical-icinga-2-security-releases-2-14-3/
Whiteboard: B1 [glsa+]
Package list:
Runtime testing required: ---

Description Tomáš Mózes 2024-11-12 15:12:52 UTC 
https://icinga.com/blog/2024/11/12/critical-icinga-2-security-releases-2-14-3/

Today, we are releasing security updates for Icinga 2 fixing a critical vulnerability that allowed to bypass the certificate validation for JSON-RPC and HTTP API connections.
Impact

The TLS certificate validation in all Icinga 2 versions starting from 2.4.0 was flawed, allowing an attacker to impersonate both trusted cluster nodes as well as any API users that use TLS client certificates for authentication (ApiUser objects with the client_cn attribute set).

By impersonating a trusted cluster node like a master or satellite, an attacker can supply a malicious configuration update to other nodes (if the accept_config attribute of the ApiListener object is set to true) or instruct the other node to execute malicious commands directly (if the accept_commands attribute of the ApiListener object is set to true). These attributes are expected to be set in most distributed installations, but in case they are not, an attacker can still retrieve potentially sensitive information.

When impersonating API users, the impact depends on the permissions configured for the individual users using certificate authentication. This may include permissions like updating the configuration and executing commands as well.

We expect most installations to be affected by this vulnerability and recommend upgrading as soon as possible.
Patches

The following fixed versions were released:

    v2.14.3
    v2.13.10
    v2.12.11
    v2.11.12

The source code for the new versions can be found in our Git repository. Updated binary packages are available on packages.icinga.com and the Icinga for Windows repository. Updated container images are available on Docker Hub. Updated Helm Charts are provided in the corresponding repository.

Given the severity of the issue, users are advised to upgrade immediately.
Workarounds

There is no known way to work around this in Icinga 2. Access to the Icinga 2 API port can be restricted using firewalls to reduce the impact.
Details

In order to allow some time for patching, the full report with more details on the vulnerability including how to reproduce it will be released in two weeks on 2024-11-26.
Acknowledgements

We would like to thank Finn Steglich for finding and reporting this issue.
References

    GitHub Security Advisory
    Patch (source code): master branch, v2.14.3, v2.13.10, v2.12.11, v2.11.12

For more information

If you have any questions or comments about this advisory, please ask in our community forum or email us at info@icinga.com.

For reporting possible security issues, please see the information on our website.
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2024-11-12 17:51:57 UTC 
Updated with quick stable from 2.14.2 to 2.14.3, removed 2.14.2.
Comment 2 Tomáš Mózes 2024-11-12 20:36:19 UTC 
Thank you Matthew
Comment 3 Larry the Git Cow gentoo-dev 2024-12-07 10:38:26 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=c0074768f3370d9e4501ee33392fe6fdba1a4f12

commit c0074768f3370d9e4501ee33392fe6fdba1a4f12
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-12-07 10:38:13 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-12-07 10:38:23 +0000

    [ GLSA 202412-08 ] icinga2: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/760660
    Bug: https://bugs.gentoo.org/943329
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202412-08.xml | 47 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)