[Pkg-nagios-devel] Bug#1087384: CVE-2024-49369: Security: fix TLS certificate validation bypass.

Hilmar Preusse hille42 at web.de
Tue Nov 12 16:19:29 GMT 2024 

Source: icinga2
Version: 2.14.2-1
Severity: grave
Tags: upstream security
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>

Dear Maintainer,

I'm pretty sure you're aware, nevertheless here is the but report:

https://icinga.com/blog/2024/11/12/critical-icinga-2-security-releases-2-14-3/

Today, we are releasing security updates for Icinga 2 fixing a
critical vulnerability that allowed to bypass the certificate
validation for JSON-RPC and HTTP API connections.
Impact

The TLS certificate validation in all Icinga 2 versions starting
from 2.4.0 was flawed, allowing an attacker to impersonate both
trusted cluster nodes as well as any API users that use TLS
client certificates for authentication (ApiUser objects with the
client_cn attribute set).

By impersonating a trusted cluster node like a master or satellite,
an attacker can supply a malicious configuration update to other
nodes (if the accept_config attribute of the ApiListener object is
set to true) or instruct the other node to execute malicious commands
directly (if the accept_commands attribute of the ApiListener object
is set to true). These attributes are expected to be set in most
distributed installations, but in case they are not, an attacker
can still retrieve potentially sensitive information.

When impersonating API users, the impact depends on the permissions
configured for the individual users using certificate authentication.
This may include permissions like updating the configuration and
executing commands as well.

We expect most installations to be affected by this vulnerability
and recommend upgrading as soon as possible.

P.S.S Ignore the version information below, however stable & oldstable
are affected too.

Hilmar

-- System Information:
Debian Release: 12.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: arm64 (aarch64)
Foreign Architectures: armhf

Kernel: Linux 6.6.51+rpt-rpi-v8 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_CRAP
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 325 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-nagios-devel/attachments/20241112/6ce29db6/attachment.sig>

More information about the Pkg-nagios-devel mailing list