CVE-2024-28872
📋 TL;DR
A TLS certificate validation flaw in Stork management tool allows attackers to obtain valid certificates from the Stork server and use them to connect to Stork agents. Once connected, attackers can send malicious commands to monitored services (Kea or BIND 9), potentially causing data loss or denial of service. Only customers using Stork management tool versions 0.15.0 through 1.15.0 are affected.
💻 Affected Systems
- Stork management tool
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of monitored DNS/DHCP infrastructure leading to data exfiltration, service disruption, and potential lateral movement to other systems.
Likely Case
Unauthorized command execution on monitored services resulting in service disruption or configuration changes.
If Mitigated
Limited impact due to network segmentation and proper certificate management controls.
🎯 Exploit Status
Exploitation requires obtaining valid TLS certificates from the Stork server first, which may require some level of access or social engineering.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.16.0 or later
Vendor Advisory: https://kb.isc.org/docs/cve-2024-28872
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Upgrade Stork to version 1.16.0 or later. 3. Restart Stork services. 4. Verify certificate validation is functioning correctly.
🔧 Temporary Workarounds
Network segmentation
allIsolate Stork management network from production and user networks
Certificate rotation
linuxRotate all TLS certificates used by Stork components
# Regenerate Stork certificates
stork-tool cert-renew --all
🧯 If You Can't Patch
- Implement strict network access controls to limit who can connect to Stork server and agents
- Monitor for unusual certificate requests or connections to Stork agents from unexpected sources
🔍 How to Verify
Check if Vulnerable:
Check Stork version with: stork-agent --version or stork-server --version. If version is between 0.15.0 and 1.15.0 inclusive, system is vulnerable.Check Version:
stork-server --version && stork-agent --versionVerify Fix Applied:
Verify version is 1.16.0 or later and test TLS certificate validation by attempting to connect with invalid certificates.📡 Detection & Monitoring
Log Indicators:
- Failed certificate validation attempts
- Unexpected connections to Stork agents
- Unusual command execution in monitored services
Network Indicators:
- Unexpected TLS handshakes with Stork agents
- Traffic from unauthorized sources to Stork agent ports
SIEM Query:
source="stork*" AND (event_type="certificate_error" OR event_type="unauthorized_connection")