CVE-2022-24715
📋 TL;DR
This vulnerability allows authenticated users with configuration access in Icinga Web 2 to create SSH resource files in unintended directories, leading to remote code execution. It affects Icinga Web 2 versions before 2.8.6, 2.9.6, and 2.10. Organizations using vulnerable versions with authenticated users having configuration privileges are at risk.
💻 Affected Systems
- Icinga Web 2
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with authenticated attackers gaining root/administrator privileges and executing arbitrary code on the server.
Likely Case
Privilege escalation leading to unauthorized access to monitoring data, system manipulation, and potential lateral movement within the network.
If Mitigated
Limited to authenticated users with configuration access only, preventing unauthenticated attacks and reducing attack surface.
🎯 Exploit Status
Exploit code is publicly available and requires authenticated access with configuration privileges.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.8.6, 2.9.6, or 2.10
Vendor Advisory: https://github.com/Icinga/icingaweb2/security/advisories/GHSA-v9mv-h52f-7g63
Restart Required: Yes
Instructions:
1. Backup current configuration and data. 2. Download patched version from official Icinga repository. 3. Follow upgrade instructions for your specific version. 4. Restart Icinga Web 2 service. 5. Verify functionality.
🔧 Temporary Workarounds
Restrict Configuration Access
allLimit Icinga Web 2 configuration access to only essential administrators.
# Review and modify user roles in Icinga Web 2 configuration
# Remove configuration privileges from non-essential users
🧯 If You Can't Patch
- Immediately restrict Icinga Web 2 configuration access to minimal required administrators only.
- Implement network segmentation to isolate Icinga Web 2 from critical systems and monitor for suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Check Icinga Web 2 version via web interface or configuration files. Versions below 2.8.6, 2.9.6, or 2.10 are vulnerable.Check Version:
grep 'version' /etc/icingaweb2/config.ini or check web interface About pageVerify Fix Applied:
Verify version is 2.8.6, 2.9.6, or 2.10+ and test configuration functionality.📡 Detection & Monitoring
Log Indicators:
- Unauthorized SSH resource file creation
- Unusual configuration changes by non-admin users
- Suspicious process execution from Icinga directories
Network Indicators:
- Unexpected outbound connections from Icinga server
- SSH connections to unusual destinations
SIEM Query:
source="icinga*" AND (event="config_change" OR event="file_create") AND user!="admin"🔗 References
- http://packetstormsecurity.com/files/173516/Icinga-Web-2.10-Remote-Code-Execution.html
- https://github.com/Icinga/icingaweb2/commit/a06d915467ca943a4b406eb9587764b8ec34cafb
- https://github.com/Icinga/icingaweb2/security/advisories/GHSA-v9mv-h52f-7g63
- https://security.gentoo.org/glsa/202208-05
- http://packetstormsecurity.com/files/173516/Icinga-Web-2.10-Remote-Code-Execution.html
- https://github.com/Icinga/icingaweb2/commit/a06d915467ca943a4b406eb9587764b8ec34cafb
- https://github.com/Icinga/icingaweb2/security/advisories/GHSA-v9mv-h52f-7g63
- https://security.gentoo.org/glsa/202208-05
