A pair of vulnerabilities in the web control panel of IT monitoring system Icinga created a route for even unauthenticated attackers to run arbitrary PHP code and hijack systems.
The recent resolved web-related vulnerabilities – which were both discovered by security researchers at SonarSource – involved two path traversal vulnerabilities and a flaw that makes it possible to execute arbitrary PHP code from the administrator interface.
Path to exploitation
CVE-2022-24716 is a path traversal bug in Icinga Web 2 and CVE-2022-24715 is a separate path traversal bug that also exploits behaviour of PHP validating a SSH key by using a NULL byte. The PHP vulnerability is in the OpenSSL core extension.
These various vulnerabilities can readily be chained together to compromise a server, SonarSource warns.
Patches have been released and updates to Icinga Web versions 2.8.6, 2.9.6 and 2.10 are recommended. Users are advised to update their installation as well as rotating credentials as an additional precaution.
Icinga offers an open source IT monitoring system that comes with various plugins and can be used to monitor network traffic, disk space, or services running on monitored hosts.
The vulnerabilities stem from coding flaws in the web control panel for the technology, which is known as Icinga Web 2.
Rich pickings
The path traversal vulnerability meant that attackers could potentially access the contents of and local system files accessible to the web server user, including icingaweb2 configuration files with database credentials.
The CVE-2022-24715 vulnerability can result in the execution of arbitrary PHP code from the administration interface
As explained in a technical blog post by SonarSource this week, the two flaws can “easily [be] chained [together] to compromise the server from an unauthenticated position if the attacker can reach the database by first disclosing configuration files and modifying the administrator’s password”.
The Daily Swig asked SonarSource whether or not the vulnerabilities might have been abused in the wild, as well as what lessons its findings offered to other software developers.
No word back as yet but we’ll update this story as and when more information comes to hand.
