Icinga monitoring software: Updates close critical security gap
There is a critical security gap in the certificate check in the Icinga monitoring software. Updates are available to plug it.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
New software versions of the monitoring software Icinga, which emerged as a fork from the Nagios project, plug a critical security hole. Due to the severity of the vulnerability, the developers have even published an advance notice of the updates to be released this Tuesday.
In the security announcement, the programmers of the open source software write that the Icinga 2 masters, satellites and agents in various setups are affected by a faulty certificate check. In all Icinga versions from 2.4.0, attackers can bypass the check and thus imitate trusted cluster nodes and any API user that uses TLS client certificates for authentication (CVE-2024-49369, CVSS 9.8, risk"critical"). This allows attackers to inject maliciously manipulated configurations or even malicious commands to be executed, depending on the configured options for the ApiListener. There are no temporary countermeasures, only access restrictions of the API port via firewall to trusted addresses reduce the attack surface somewhat.
Updates for current products
The changelog for the new versions is not yet available at the time of reporting. It is therefore unclear whether the new versions will fix further problems. Versions 2.14.3, 2.13.10, 2.12.11 and 2.11.12 therefore no longer contain the vulnerability. Admins should install them immediately.
The Icinga project also provides updated packages for the following environments:
- Amazon Linux 2, 2023
- CentOS 7, 8
- Debian 10, 11, 12
- Docker images
- Fedora 37, 38, 39, 40
- Helm Chart
- openSUSE 15.4, 15.5, 15.6
- Raspberry Pi OS 11, 12 (64-bit versions only)
- Raspbian 11 (32-bit versions only)
- Red Hat Enterprise Linux 7, 8, 9
- SUSE Linux Enterprise Server 12.5, 15.3, 15.4, 15.5, 15.6
- Ubuntu 18.04, 20.04, 22.04, 23.04, 23.10, 24.04, 24.10
- Windows Server >= 2012
The project apologizes for the inconvenience, but kindly urges IT managers to apply the updates as soon as possible.
Obsolete products after end-of-lifecycle
The programmers are also patching the vulnerabilities in Icinga versions that have reached their end-of-lifecycle (EOL), they emphasize. In particular, Icinga refers to exchanged keys for the repositories. The old GPG keys were based on 1024-bit DSA keys, which are now classified as weak. The new keys rely on 4096-bit RSA keys. This means that Icinga signs both the repositories as a whole and the individual packages. In the announcement, Icinga discusses the extent to which administrators need to take action so that the packages can be checked correctly. They provide brief instructions for various distributions, from RHEL, SLES and openSUSE to Debian and Ubuntu.
Like all software, monitoring software is occasionally affected by security vulnerabilities. At the beginning of the year, admins had to install security updates for three popular monitoring systems. At that time, Splunk, cacti and checkmk were affected by high-risk vulnerabilities and in one case even by a critical vulnerability.
(dmk)