Debian 11: DLA-3953-1 critical: icinga2 privilege escalation and TLS flaws
debian lts
November 15, 2024
Icinga 2 is a general-purpose monitoring application to fit the needs of any size of network
Topics Covered
Summary
CVE-2021-32739
From version 2.4.0 through version 2.12.4, a vulnerability exists that
may allow privilege escalation for authenticated API users. With a
read-only user's credentials, an attacker can view most attributes of
all config objects including `ticket_salt` of `ApiListener`. This salt
is enough to compute a ticket for every possible common name (CN). A
ticket, the master node's certificate, and a self-signed certificate are
enough to successfully request the desired certificate from Icinga. That
certificate may in turn be used to steal an endpoint or API user's
identity.
CVE-2021-32743
In versions prior to 2.11.10 and from version 2.12.0 through version
2.12.4, some of the Icinga 2 features that require credentials for
external services expose those credentials through the API to
authenticated API users with read permissions for the corresponding
object types. An attacker who obtains these credentials can impersonate
PREVIOUS 
NEXT Severity
critical
Lowest
Low
Medium
High
Critical
Package: icinga2
Version: 2.12.3-1+deb11u1
CVE ID: CVE-2021-32739 CVE-2021-32743 CVE-2021-37698 CVE-2024-49369
Debian Bug: 991494 1087384
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!