CVE-2024-28872 Vulnerability in Stork Monitoring Tool Could Enable Server Takeover

Security researchers have uncovered a critical vulnerability (CVE-2024-28872) in Stork, a popular open-source network monitoring tool for Kea DHCP servers. This flaw could allow attackers to potentially hijack Stork servers, compromise sensitive data, and disrupt essential network services.

What is Stork?

Stork provides network administrators with a user-friendly graphical interface to manage and monitor Kea DHCP servers. It also integrates with LDAP for managing user authentication and authorization. DHCP servers play a vital role in assigning IP addresses and ensuring seamless network connectivity.

The Vulnerability Explained

The flaw, identified as CVE-2024-28872, carries a CVSS score of 8.9, underscoring the severity of the issue at hand. The vulnerability lies in how Stork validates TLS certificates. Attackers could exploit this flaw by obtaining a valid TLS certificate from the Stork server and using it to connect to the Stork agent (software that runs alongside monitored services). Once a connection is established, attackers could send malicious commands with elevated privileges to the monitored services, like Kea or BIND 9.

Potential Consequences

• Data Compromise: Successful exploitation could allow attackers to exfiltrate sensitive configuration data or logs from the Stork server, Kea, or BIND 9.
• Service Disruption: Attackers might be able to shut down Kea or BIND 9 servers, causing network outages and impacting device connectivity.
• Server Manipulation: Attackers could potentially modify configurations on the Stork server and the services it monitors, leading to further security risks.

Who is Affected?

Organizations that rely on Stork to manage their Kea or BIND 9 infrastructure are directly affected by this vulnerability. It’s essential to note that the vulnerability lies in Stork itself and not in the underlying DHCP or DNS servers it monitors.

Mitigation and Fixes

• Immediate Patching: The most critical step is to update Stork to the latest patched versions (1.15.1 or newer ) as soon as possible. These updates address the certificate validation vulnerability.
• Network Segmentation: Consider using firewalls or network segmentation to restrict access between the Stork server and its corresponding agents. This adds a layer of protection.

Additional Considerations

• Monitor for Updates: Stay updated on the latest Stork releases and security advisories to address future potential vulnerabilities.
• Review Logs: Monitor Stork, Kea, and BIND 9 logs for suspicious activity or unauthorized configuration changes.