Synopsis
The remote Debian host is missing one or more security-related updates.
Description
The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3953 advisory.
------------------------------------------------------------------------- Debian LTS Advisory DLA-3953-1 [email protected] https://www.debian.org/lts/security/ Daniel Leidert November 16, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : icinga2 Version : 2.12.3-1+deb11u1 CVE ID : CVE-2021-32739 CVE-2021-32743 CVE-2021-37698 CVE-2024-49369 Debian Bug : 991494 1087384
Icinga 2 is a general-purpose monitoring application to fit the needs of any size of network.
CVE-2021-32739
From version 2.4.0 through version 2.12.4, a vulnerability exists that may allow privilege escalation for authenticated API users. With a read-only user's credentials, an attacker can view most attributes of all config objects including `ticket_salt` of `ApiListener`. This salt is enough to compute a ticket for every possible common name (CN). A ticket, the master node's certificate, and a self-signed certificate are enough to successfully request the desired certificate from Icinga. That certificate may in turn be used to steal an endpoint or API user's identity.
CVE-2021-32743
In versions prior to 2.11.10 and from version 2.12.0 through version 2.12.4, some of the Icinga 2 features that require credentials for external services expose those credentials through the API to authenticated API users with read permissions for the corresponding object types. An attacker who obtains these credentials can impersonate Icinga to these services and add, modify and delete information there.
CVE-2021-37698
In versions 2.5.0 through 2.13.0, ElasticsearchWriter, GelfWriter, InfluxdbWriter and Influxdb2Writer do not verify the server's certificate despite a certificate authority being specified. Icinga 2 instances which connect to any of the mentioned time series databases (TSDBs) using TLS over a spoofable infrastructure should change the credentials (if any) used by the TSDB writer feature to authenticate against the TSDB.
CVE-2024-49369
The TLS certificate validation in all Icinga 2 versions starting from 2.4.0 was flawed, allowing an attacker to impersonate both trusted cluster nodes as well as any API users that use TLS client certificates for authentication (ApiUser objects with the client_cn attribute set).
For Debian 11 bullseye, these problems have been fixed in version 2.12.3-1+deb11u1.
We recommend that you upgrade your icinga2 packages.
For the detailed security status of icinga2 please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/icinga2
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS Attachment:
signature.asc Description: This is a digitally signed message part
Tenable has extracted the preceding description block directly from the Debian security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Upgrade the icinga2 packages.
Plugin Details
File Name: debian_DLA-3953.nasl
Agent: unix
Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus
Risk Information
Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
Vulnerability Information
CPE: cpe:/o:debian:debian_linux:11.0, p-cpe:/a:debian:debian_linux:icinga2-ido-pgsql, p-cpe:/a:debian:debian_linux:icinga2, p-cpe:/a:debian:debian_linux:icinga2-doc, p-cpe:/a:debian:debian_linux:icinga2-bin, p-cpe:/a:debian:debian_linux:icinga2-ido-mysql, p-cpe:/a:debian:debian_linux:icinga2-common, p-cpe:/a:debian:debian_linux:vim-icinga2
Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l
Exploit Ease: Exploits are available
Patch Publication Date: 11/16/2024
Vulnerability Publication Date: 7/15/2021