Headline
Brace of Icinga web vulnerabilities ‘easily chained’ to hack IT monitoring software
Open source IT monitoring system gets patched
John Leyden 13 May 2022 at 13:49 UTC
Open source IT monitoring system gets patched
A pair of vulnerabilities in the web control panel of IT monitoring system Icinga created a route for even unauthenticated attackers to run arbitrary PHP code and hijack systems.
The recent resolved web-related vulnerabilities – which were both discovered by security researchers at SonarSource – involved two path traversal vulnerabilities and a flaw that makes it possible to execute arbitrary PHP code from the administrator interface.
Path to exploitation
CVE-2022-24716 is a path traversal bug in Icinga Web 2 and CVE-2022-24715 is a separate path traversal bug that also exploits behaviour of PHP validating a SSH key by using a NULL byte. The PHP vulnerability is in the OpenSSL core extension.
These various vulnerabilities can readily be chained together to compromise a server, SonarSource warns.
Patches have been released and updates to Icinga Web versions 2.8.6, 2.9.6 and 2.10 are recommended. Users are advised to update their installation as well as rotating credentials as an additional precaution.
Catch up on the latest cybersecurity research news
Icinga offers an open source IT monitoring system that comes with various plugins and can be used to monitor network traffic, disk space, or services running on monitored hosts.
The vulnerabilities stem from coding flaws in the web control panel for the technology, which is known as Icinga Web 2.
Rich pickings
The path traversal vulnerability meant that attackers could potentially access the contents of and local system files accessible to the web server user, including icingaweb2 configuration files with database credentials.
The CVE-2022-24715 vulnerability can result in the execution of arbitrary PHP code from the administration interface
As explained in a technical blog post by SonarSource this week, the two flaws can “easily [be] chained [together] to compromise the server from an unauthenticated position if the attacker can reach the database by first disclosing configuration files and modifying the administrator’s password”.
The Daily Swig asked SonarSource whether or not the vulnerabilities might have been abused in the wild, as well as what lessons its findings offered to other software developers.
No word back as yet but we’ll update this story as and when more information comes to hand.
RECOMMENDED Researcher stops REvil ransomware in its tracks with DLL-hijacking exploit
Related news
Gentoo Linux Security Advisory 202208-5 - Multiple vulnerabilities have been found in Icinga Web 2, the worst of which could result in remote code execution. Versions less than 2.9.6 are affected.
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Unauthenticated users can leak the contents of files of the local system accessible to the web-server user, including `icingaweb2` configuration files with database credentials. This issue has been resolved in versions 2.9.6 and 2.10 of Icinga Web 2. Database credentials should be rotated.
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Authenticated users, with access to the configuration, can create SSH resource files in unintended directories, leading to the execution of arbitrary code. This issue has been resolved in versions 2.8.6, 2.9.6 and 2.10 of Icinga Web 2. Users unable to upgrade should limit access to the Icinga Web 2 configuration.