Platform
linux
Component
icinga2
Opgelost in
2.4.1
2.12.1
2.13.1
2.14.1
CVE-2024-49369 is a critical vulnerability affecting Icinga 2, a popular monitoring system. This flaw stems from a flawed TLS certificate validation process, enabling attackers to impersonate both trusted cluster nodes and API users authenticated via TLS client certificates. The vulnerability impacts versions 2.4.0 through 2.14.2, and a fix is available in versions 2.14.3, 2.13.10, 2.12.11, and 2.11.12.
The impact of CVE-2024-49369 is significant due to the potential for complete system compromise. An attacker exploiting this vulnerability can impersonate legitimate cluster nodes, gaining unauthorized access to monitoring data and potentially manipulating the system's behavior. Furthermore, they can impersonate API users utilizing TLS client certificates, potentially accessing sensitive information or executing commands with elevated privileges. This could lead to data breaches, denial of service, or even complete control over the monitored infrastructure. The ability to impersonate API users with client certificates is particularly concerning, as it bypasses standard authentication mechanisms.
This vulnerability was publicly disclosed on November 12, 2024. While no active exploitation campaigns have been publicly confirmed, the critical severity and ease of exploitation suggest a high probability of future attacks. The vulnerability's impact on API authentication makes it a particularly attractive target. It is not currently listed on the CISA KEV catalog, but its severity warrants close monitoring. No public proof-of-concept exploits have been released at the time of writing.
Organizations heavily reliant on Icinga 2 for critical infrastructure monitoring are at significant risk. Specifically, deployments utilizing API users with TLS client certificates for authentication are particularly vulnerable. Environments with legacy Icinga 2 configurations or those that have not implemented robust TLS security practices are also at increased risk.
• linux / server:
journalctl -u icinga2 | grep -i "certificate validation"• linux / server:
lsof -i :5665 -p $(pidof icinga2) # Check for unexpected connections• generic web:
curl -I https://<icinga2_server>/api/v1/ # Inspect response headers for anomaliesdisclosure
Exploit Status
EPSS
17.90% (95% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2024-49369 is to upgrade Icinga 2 to a patched version: 2.14.3, 2.13.10, 2.12.11, or 2.11.12. If an immediate upgrade is not feasible, consider implementing stricter TLS certificate pinning policies to limit the certificates that Icinga 2 will accept. While not a complete solution, this can reduce the attack surface. Review and restrict API user permissions to minimize the potential damage from a successful impersonation. After upgrading, confirm the fix by verifying that TLS certificate validation is functioning correctly and that unauthorized connections are rejected.
Actualice Icinga 2 a la versión 2.14.3, 2.13.10, 2.12.11 o 2.11.12, o a una versión posterior. Esto corrige la validación de certificados TLS en las conexiones JSON-RPC y HTTP API, evitando la suplantación de nodos de clúster y usuarios API.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-49369 is a critical vulnerability in Icinga 2 where flawed TLS certificate validation allows attackers to impersonate cluster nodes and API users, potentially leading to system compromise.
If you are running Icinga 2 versions 2.4.0 through 2.14.2, you are affected by this vulnerability. Immediate action is required.
Upgrade Icinga 2 to version 2.14.3, 2.13.10, 2.12.11, or 2.11.12 to resolve this vulnerability. Consider stricter TLS certificate pinning as an interim measure.
While no active exploitation campaigns have been publicly confirmed, the critical severity and ease of exploitation suggest a high probability of future attacks.
Refer to the official Icinga 2 security advisory for detailed information and updates: https://www.icinga.com/advisory/icinga-2-security-advisory
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.