Debian dla-3953 : icinga2 - security update

high Nessus Plugin ID 211508

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3953 advisory.

------------------------------------------------------------------------- Debian LTS Advisory DLA-3953-1 [email protected] https://www.debian.org/lts/security/ Daniel Leidert November 16, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : icinga2 Version : 2.12.3-1+deb11u1 CVE ID : CVE-2021-32739 CVE-2021-32743 CVE-2021-37698 CVE-2024-49369 Debian Bug : 991494 1087384

Icinga 2 is a general-purpose monitoring application to fit the needs of any size of network.

CVE-2021-32739

From version 2.4.0 through version 2.12.4, a vulnerability exists that may allow privilege escalation for authenticated API users. With a read-only user's credentials, an attacker can view most attributes of all config objects including `ticket_salt` of `ApiListener`. This salt is enough to compute a ticket for every possible common name (CN). A ticket, the master node's certificate, and a self-signed certificate are enough to successfully request the desired certificate from Icinga. That certificate may in turn be used to steal an endpoint or API user's identity.

CVE-2021-32743

In versions prior to 2.11.10 and from version 2.12.0 through version 2.12.4, some of the Icinga 2 features that require credentials for external services expose those credentials through the API to authenticated API users with read permissions for the corresponding object types. An attacker who obtains these credentials can impersonate Icinga to these services and add, modify and delete information there.

CVE-2021-37698

In versions 2.5.0 through 2.13.0, ElasticsearchWriter, GelfWriter, InfluxdbWriter and Influxdb2Writer do not verify the server's certificate despite a certificate authority being specified. Icinga 2 instances which connect to any of the mentioned time series databases (TSDBs) using TLS over a spoofable infrastructure should change the credentials (if any) used by the TSDB writer feature to authenticate against the TSDB.

CVE-2024-49369

The TLS certificate validation in all Icinga 2 versions starting from 2.4.0 was flawed, allowing an attacker to impersonate both trusted cluster nodes as well as any API users that use TLS client certificates for authentication (ApiUser objects with the client_cn attribute set).

For Debian 11 bullseye, these problems have been fixed in version 2.12.3-1+deb11u1.

We recommend that you upgrade your icinga2 packages.

For the detailed security status of icinga2 please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/icinga2

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS Attachment:
signature.asc Description: This is a digitally signed message part

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the icinga2 packages.

See Also

https://security-tracker.debian.org/tracker/source-package/icinga2

https://security-tracker.debian.org/tracker/CVE-2021-32739

https://security-tracker.debian.org/tracker/CVE-2021-32743

https://security-tracker.debian.org/tracker/CVE-2021-37698

https://security-tracker.debian.org/tracker/CVE-2024-49369

https://packages.debian.org/source/bullseye/icinga2

Plugin Details

Severity: High

ID: 211508

File Name: debian_DLA-3953.nasl

Version: 1.2

Type: local

Agent: unix

Published: 11/18/2024

Updated: 12/6/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.1

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2021-32743

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:11.0, p-cpe:/a:debian:debian_linux:icinga2-ido-pgsql, p-cpe:/a:debian:debian_linux:icinga2, p-cpe:/a:debian:debian_linux:icinga2-doc, p-cpe:/a:debian:debian_linux:icinga2-bin, p-cpe:/a:debian:debian_linux:icinga2-ido-mysql, p-cpe:/a:debian:debian_linux:icinga2-common, p-cpe:/a:debian:debian_linux:vim-icinga2

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/16/2024

Vulnerability Publication Date: 7/15/2021

Reference Information

CVE: CVE-2021-32739, CVE-2021-32743, CVE-2021-37698, CVE-2024-49369

IAVB: 2024-B-0186