Platform
linux
Component
stork
Fixed in
1.15.1
CVE-2024-28872 describes a critical vulnerability in Stork, a management tool for Kea and BIND 9 DNS servers. This flaw stems from a weakness in the TLS certificate validation process, allowing attackers to potentially compromise monitored services. The vulnerability impacts Stork versions 0.15.0 through 1.15.0, and a fix is available in version 1.15.1.
The core of the vulnerability lies in Stork's inadequate TLS certificate validation. An attacker who can obtain a TLS certificate from the Stork server can then use this certificate to establish a connection to the Stork agent. Once connected, the attacker can inject malicious commands targeted at the monitored services, either Kea or BIND 9. This could lead to a range of severe consequences, including unauthorized data exfiltration, modification of DNS records (in the case of BIND 9), and denial-of-service attacks. The blast radius is limited to the services managed by Stork, but successful exploitation could have significant operational and security implications. This vulnerability does not directly affect Kea or BIND 9 themselves, only those using Stork for management.
CVE-2024-28872 was published on July 11, 2024. Its severity is rated HIGH with a CVSS score of 8.9. As of this writing, there are no publicly known Proof-of-Concept (POC) exploits. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog or has an EPSS score. Active exploitation campaigns are not currently reported, but the ease of exploitation, given a valid certificate, warrants careful monitoring.
Exploit Status
EPSS
0.25% (48% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-28872 is to upgrade Stork to version 1.15.1 or later, which includes the fix for the TLS certificate validation flaw. If an immediate upgrade is not feasible, consider implementing stricter network segmentation to limit access to the Stork agent. Additionally, carefully review and restrict the certificates that Stork trusts. While not a complete solution, implementing a Web Application Firewall (WAF) with TLS inspection capabilities might provide an additional layer of defense by detecting and blocking malicious requests. After upgrading, verify the fix by attempting to connect to the Stork agent with a self-signed certificate; the connection should be rejected.
Actualice Stork a una versión posterior a 1.15.0. Esto corregirá la validación incorrecta del certificado TLS. Consulte el anuncio de ISC para obtener más detalles e instrucciones específicas de actualización.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-28872 is a HIGH severity vulnerability in Stork versions 0.15.0–1.15.0 where flawed TLS certificate validation allows attackers with a valid certificate to execute malicious commands on monitored Kea/BIND 9 services.
You are affected if you are running Stork versions 0.15.0 through 1.15.0 and are using it to manage Kea or BIND 9 DNS servers. Versions prior to 1.15.1 are vulnerable.
Upgrade Stork to version 1.15.1 or later to remediate the TLS certificate validation flaw. If immediate upgrade is not possible, implement network segmentation and stricter certificate trust policies.
As of now, there are no publicly known active exploitation campaigns or Proof-of-Concept exploits for CVE-2024-28872, but the vulnerability's nature warrants close monitoring.
Refer to the official Stork project website and security advisories for the latest information and updates regarding CVE-2024-28872: [https://github.com/stork-team/stork](https://github.com/stork-team/stork)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.