Open source IT monitoring system gets patched

Recently resolved vulnerabilities in the web control panel of IT monitoring system Icinga posed a sever hacking risk

A pair of vulnerabilities in the web control panel of IT monitoring system Icinga created a route for even unauthenticated attackers to run arbitrary PHP code and hijack systems.

The recent resolved web-related vulnerabilities – which were both discovered by security researchers at SonarSource – involved two path traversal vulnerabilities and a flaw that makes it possible to execute arbitrary PHP code from the administrator interface.

Path to exploitation

CVE-2022-24716 is a path traversal bug in Icinga Web 2 and CVE-2022-24715 is a separate path traversal bug that also exploits behaviour of PHP validating a SSH key by using a NULL byte. The PHP vulnerability is in the OpenSSL core extension.

These various vulnerabilities can readily be chained together to compromise a server, SonarSource warns.

Patches have been released and updates to Icinga Web versions 2.8.6, 2.9.6 and 2.10 are recommended. Users are advised to update their installation as well as rotating credentials as an additional precaution.

Catch up on the latest cybersecurity research news

Icinga offers an open source IT monitoring system that comes with various plugins and can be used to monitor network traffic, disk space, or services running on monitored hosts.

The vulnerabilities stem from coding flaws in the web control panel for the technology, which is known as Icinga Web 2.

Rich pickings

The path traversal vulnerability meant that attackers could potentially access the contents of and local system files accessible to the web server user, including icingaweb2 configuration files with database credentials.

The CVE-2022-24715 vulnerability can result in the execution of arbitrary PHP code from the administration interface

As explained in a technical blog post by SonarSource this week, the two flaws can “easily [be] chained [together] to compromise the server from an unauthenticated position if the attacker can reach the database by first disclosing configuration files and modifying the administrator's password”.

The Daily Swig asked SonarSource whether or not the vulnerabilities might have been abused in the wild, as well as what lessons its findings offered to other software developers.

No word back as yet but we’ll update this story as and when more information comes to hand.

RECOMMENDED Researcher stops REvil ransomware in its tracks with DLL-hijacking exploit