CVE-2025-61909
📋 TL;DR
This vulnerability allows the Icinga daemon user to send signals to arbitrary processes by exploiting a race condition in the safe-reload script and logrotate configuration. The issue occurs because these scripts read PID files writable by the daemon user but execute signal commands as root. Affected systems are Icinga 2 installations from version 2.10.0 up to (but not including) 2.15.1, 2.14.7, and 2.13.13.
💻 Affected Systems
- Icinga 2
📦 What is this software?
Icinga by Icinga
Icinga by Icinga
Icinga by Icinga
⚠️ Risk & Real-World Impact
Worst Case
The Icinga user could send kill signals to critical system processes, potentially causing denial of service or system instability by terminating essential services.
Likely Case
Limited privilege escalation allowing the Icinga user to interfere with other processes running under the same user or with similar permissions, potentially disrupting monitoring functionality.
If Mitigated
With proper process isolation and minimal privileges, impact is limited to the Icinga service itself and related processes.
🎯 Exploit Status
Exploitation requires local access as the Icinga daemon user and involves race condition timing to manipulate PID files before they're read by root-owned scripts.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.15.1, 2.14.7, or 2.13.13
Vendor Advisory: https://github.com/Icinga/icinga2/security/advisories/GHSA-pg6g-g99v-mw46
Restart Required: No
Instructions:
1. Identify current Icinga 2 version using 'icinga2 --version'. 2. Upgrade to patched version: 2.15.1, 2.14.7, or 2.13.13 based on your release branch. 3. Use package manager (apt/yum) or compile from source. 4. No service restart required for the fix itself, but reload functionality will use corrected scripts.
🔧 Temporary Workarounds
Restrict Icinga user permissions
allLimit the Icinga daemon user's ability to write to PID files or execute signal commands
chmod 644 /var/run/icinga2/icinga2.pid
chown root:root /var/run/icinga2/icinga2.pid
Disable automatic log rotation
allTemporarily disable logrotate for Icinga 2 to prevent exploitation through that vector
mv /etc/logrotate.d/icinga2 /etc/logrotate.d/icinga2.disabled
🧯 If You Can't Patch
- Implement strict access controls to prevent unauthorized users from obtaining Icinga daemon user privileges
- Monitor PID file modifications and signal operations from the Icinga user for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check Icinga version: 'icinga2 --version' and verify it's between 2.10.0 and before the patched versions. Also check if safe-reload script exists: 'ls -la /usr/lib/icinga2/safe-reload'Check Version:
icinga2 --versionVerify Fix Applied:
Verify version is 2.15.1, 2.14.7, or 2.13.13 with 'icinga2 --version'. Check commit 51ec73cbd922a76fc0f60e1d8d33acd7caa5d587 is included in your installation.📡 Detection & Monitoring
Log Indicators:
- Unexpected signal operations from icinga2 user
- PID file modification timestamps coinciding with reload operations
- Process termination events in system logs from icinga2 user
Network Indicators:
- No network indicators - this is a local privilege escalation vulnerability
SIEM Query:
source="system" AND (user="icinga" OR user="icinga2") AND (event="signal" OR event="kill" OR event="terminate")🔗 References
- https://github.com/Icinga/icinga2/commit/51ec73cbd922a76fc0f60e1d8d33acd7caa5d587
- https://github.com/Icinga/icinga2/issues/10527
- https://github.com/Icinga/icinga2/security/advisories/GHSA-pg6g-g99v-mw46
- https://icinga.com/blog/releasing-icinga-2-v2-15-1-2-14-7-and-2-13-13-and-icinga-db-web-v1-2-3-and-1-1-4
