CVE-2020-29663
📋 TL;DR
This vulnerability in Icinga 2 allows revoked certificates to be automatically renewed despite being on a Certificate Revocation List (CRL), bypassing certificate revocation checks. This affects Icinga 2 installations using certificate-based authentication with CRL checking enabled. Attackers could potentially use revoked certificates to gain unauthorized access.
💻 Affected Systems
- Icinga 2
📦 What is this software?
Icinga by Icinga
Icinga by Icinga
⚠️ Risk & Real-World Impact
Worst Case
Attackers could use revoked certificates to gain administrative access to Icinga 2, potentially compromising monitoring infrastructure and using it as a foothold for lateral movement.
Likely Case
Unauthorized access to Icinga 2 monitoring data and potential manipulation of monitoring alerts and configurations.
If Mitigated
Limited impact if proper network segmentation and access controls prevent unauthorized connections even with valid certificates.
🎯 Exploit Status
Exploitation requires access to a revoked certificate that would normally be rejected. The vulnerability is in the automatic renewal logic, not in initial certificate validation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2.11.8 and v2.12.3
Vendor Advisory: https://github.com/Icinga/icinga2/security/advisories/GHSA-pcmr-2p2f-r7j6
Restart Required: Yes
Instructions:
1. Backup Icinga 2 configuration and data. 2. Stop Icinga 2 service. 3. Upgrade to v2.11.8 or v2.12.3 using your package manager. 4. Restart Icinga 2 service. 5. Verify certificate validation is working correctly.
🔧 Temporary Workarounds
Disable automatic certificate renewal
linuxTemporarily disable automatic certificate renewal to prevent revoked certificates from being renewed
icinga2 feature disable api
systemctl restart icinga2
Manual certificate management
allSwitch to manual certificate management and renewal instead of automatic renewal
🧯 If You Can't Patch
- Implement strict network access controls to limit connections to Icinga 2 API endpoints
- Monitor for unusual certificate renewal activity and revoked certificate usage
🔍 How to Verify
Check if Vulnerable:
Check Icinga 2 version with: icinga2 --version. If version is between 2.8.0-2.11.7 or exactly 2.12.2, and certificate authentication with CRL is enabled, system is vulnerable.Check Version:
icinga2 --version | grep 'version'Verify Fix Applied:
After patching, test with a revoked certificate to ensure it's not renewed. Verify version shows 2.11.8+ or 2.12.3+.📡 Detection & Monitoring
Log Indicators:
- Certificate renewal events for certificates that should be revoked
- API access from unexpected sources using certificates
Network Indicators:
- Unusual API traffic patterns
- Connections using certificates that appear on CRLs
SIEM Query:
source="icinga2" AND ("certificate renewed" OR "api connection")