CVE-2024-49369 (CVSS 9.8): Critical Flaw in Icinga 2 Allows for Impersonation and RCE
Icinga releases urgent security updates to address a critical TLS certificate validation bypass vulnerability affecting all versions since 2.4.0.
A critical vulnerability (CVE-2024-49369) has been discovered in Icinga 2, a widely used open-source monitoring system. This flaw allows attackers to bypass TLS certificate validation, potentially leading to the impersonation of trusted cluster nodes and API users, ultimately enabling remote code execution and configuration manipulation.
“The TLS certificate validation in all Icinga 2 versions starting from 2.4.0 was flawed,” warns the Icinga security advisory. This vulnerability could allow attackers to:
- Impersonate trusted cluster nodes: By posing as a master or satellite node, attackers can inject malicious configuration updates or execute arbitrary commands on other nodes within the Icinga cluster.
- Impersonate API users: Attackers can exploit this vulnerability to gain unauthorized access with the permissions of legitimate API users, potentially granting them the ability to modify configurations or execute commands.
The impact of this vulnerability is significant, with Icinga stating that “most installations to be affected by this vulnerability.” The CVSS score of 9.8 underscores the severity of the issue.
Urgent Action Required: Upgrade Immediately
Icinga has released patched versions across multiple branches, including:
Users are strongly urged to upgrade to the latest patched versions immediately. Updated packages are available on packages.icinga.com, the Icinga for Windows repository, Docker Hub, and the Helm Chart repository.
Mitigation Strategies
While upgrading is the primary recommendation, Icinga acknowledges that immediate patching may not be feasible for all users. As a temporary mitigation strategy, restricting access to the Icinga 2 API port using firewalls can help reduce the attack surface.
Detailed Vulnerability Report Forthcoming
To allow users time to patch their systems, Icinga plans to release a comprehensive report with detailed information about the CVE-2024-49369 vulnerability, including reproduction steps, on November 26, 2024.
