[Pkg-nagios-devel] Bug#991494: icinga2: CVE-2021-32739 CVE-2021-32743

Moritz Mühlenhoff jmm at inutil.org
Sun Jul 25 20:08:17 BST 2021

Source: icinga2
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security


The following vulnerabilities were published for icinga2.

| Icinga is a monitoring system which checks the availability of network
| resources, notifies users of outages, and generates performance data
| for reporting. From version 2.4.0 through version 2.12.4, a
| vulnerability exists that may allow privilege escalation for
| authenticated API users. With a read-ony user's credentials, an
| attacker can view most attributes of all config objects including
| `ticket_salt` of `ApiListener`. This salt is enough to compute a
| ticket for every possible common name (CN). A ticket, the master
| node's certificate, and a self-signed certificate are enough to
| successfully request the desired certificate from Icinga. That
| certificate may in turn be used to steal an endpoint or API user's
| identity. Versions 2.12.5 and 2.11.10 both contain a fix the
| vulnerability. As a workaround, one may either specify queryable types
| explicitly or filter out ApiListener objects.


| Icinga is a monitoring system which checks the availability of network
| resources, notifies users of outages, and generates performance data
| for reporting. In versions prior to 2.11.10 and from version 2.12.0
| through version 2.12.4, some of the Icinga 2 features that require
| credentials for external services expose those credentials through the
| API to authenticated API users with read permissions for the
| corresponding object types. IdoMysqlConnection and IdoPgsqlConnection
| (every released version) exposes the password of the user used to
| connect to the database. IcingaDB (added in 2.12.0) exposes the
| password used to connect to the Redis server. ElasticsearchWriter
| (added in 2.8.0)exposes the password used to connect to the
| Elasticsearch server. An attacker who obtains these credentials can
| impersonate Icinga to these services and add, modify and delete
| information there. If credentials with more permissions are in use,
| this increases the impact accordingly. Starting with the 2.11.10 and
| 2.12.5 releases, these passwords are no longer exposed via the API. As
| a workaround, API user permissions can be restricted to not allow
| querying of any affected objects, either by explicitly listing only
| the required object types for object query permissions, or by applying
| a filter rule.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-32739
[1] https://security-tracker.debian.org/tracker/CVE-2021-32743

Please adjust the affected versions in the BTS as needed.

More information about the Pkg-nagios-devel mailing list