Impact
Not any of Icinga Director's configuration forms used to manipulate the monitoring environment are protected against cross site request forgery. (CSRF)
It enables attackers to perform changes in the monitoring environment managed by Icinga Director without the awareness of the victim.
There are two ways this can happen and both need to lure an unsuspecting user, which is currently logged into Icinga Web with the appropriate access rights, to:
Visit a Specially Crafted Website
A website set up by the attacker may be able to manipulate the monitoring environment, if a user visits or interacts with it. In the worst case, just visiting the website triggers multiple changes.
The browser must permit transmission of access credentials during cross-origin requests for this to work.
Modern browsers used today, impose several security measures against this though:
- Firefox uses a way to protect cookies called Total Cookie Protection [1] and is enabled by default since April 2023
- Safari uses a similar method called Prevent cross-site tracking [2] available in the privacy preferences
- Chrome/Opera/Edge rely on a cookie attribute and will apply a suitable default since February 2020 [3] if not set, which is the case for Icinga Web
Click a Specially Crafted URL
Known vulnerabilities in Icinga Web [4] and the map module by Nicola Buchwitz [5] may allow the attacker to bypass any security measures imposed by a browser by use of cross-site scripting. (XSS)
Users of the map module in version 1.x, should immediately upgrade to v2.0. The mentioned XSS vulnerabilities in Icinga Web are already fixed as well and upgrades to the most recent release of the 2.9, 2.10 or 2.11 branch must be performed if not done yet. Any later major release is also suitable, of course.
What can you do?
Icinga Director will receive minor updates to the 1.8, 1.9, 1.10 and 1.11 branches to remedy this issue.
Upgrade immediately to a patched release. If that is not feasible, disable the director module for the time being.
Have you already been attacked?
Since an attacker is able to manipulate everything the Icinga Director allows to adjust, the manipulations may be substantial. Some require distinct knowledge of the monitoring system, but many do not. You should check for unknown objects and suspicious changes in these key areas:
- Commands and Templates
- Import-Sources
As long as Icinga Director isn't upgraded and patched, make sure to also keep an eye on the Activity Log as this might also contain suspicious entries.
In very rare cases, the attacker might have been able to gain limited system access. If Icinga is running on a host which is able to connect to the Internet, make sure to check network activity for suspicious connections.
References
- https://blog.mozilla.org/en/mozilla/firefox-rolls-out-total-cookie-protection-by-default-to-all-users-worldwide/
- https://support.apple.com/en-is/guide/safari/sfri11471/16.0
- https://www.chromium.org/updates/same-site/
- https://github.com/Icinga/icingaweb2/issues?q=is%3Aissue++is%3Aclosed+4979+4960+4947
- nbuchwitz/icingaweb2-module-map#86
Impact
Not any of Icinga Director's configuration forms used to manipulate the monitoring environment are protected against cross site request forgery. (CSRF)
It enables attackers to perform changes in the monitoring environment managed by Icinga Director without the awareness of the victim.
There are two ways this can happen and both need to lure an unsuspecting user, which is currently logged into Icinga Web with the appropriate access rights, to:
Visit a Specially Crafted Website
A website set up by the attacker may be able to manipulate the monitoring environment, if a user visits or interacts with it. In the worst case, just visiting the website triggers multiple changes.
The browser must permit transmission of access credentials during cross-origin requests for this to work.
Modern browsers used today, impose several security measures against this though:
Click a Specially Crafted URL
Known vulnerabilities in Icinga Web [4] and the map module by Nicola Buchwitz [5] may allow the attacker to bypass any security measures imposed by a browser by use of cross-site scripting. (XSS)
Users of the map module in version 1.x, should immediately upgrade to v2.0. The mentioned XSS vulnerabilities in Icinga Web are already fixed as well and upgrades to the most recent release of the 2.9, 2.10 or 2.11 branch must be performed if not done yet. Any later major release is also suitable, of course.
What can you do?
Icinga Director will receive minor updates to the 1.8, 1.9, 1.10 and 1.11 branches to remedy this issue.
Upgrade immediately to a patched release. If that is not feasible, disable the director module for the time being.
Have you already been attacked?
Since an attacker is able to manipulate everything the Icinga Director allows to adjust, the manipulations may be substantial. Some require distinct knowledge of the monitoring system, but many do not. You should check for unknown objects and suspicious changes in these key areas:
As long as Icinga Director isn't upgraded and patched, make sure to also keep an eye on the Activity Log as this might also contain suspicious entries.
In very rare cases, the attacker might have been able to gain limited system access. If Icinga is running on a host which is able to connect to the Internet, make sure to check network activity for suspicious connections.
References