CVE-2022-24715
published 2022-03-08CVE-2022-24715: Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Authenticated users, with access to the configuration, can…
PriorityP270high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
14.67%
96.2th percentile
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Authenticated users, with access to the configuration, can create SSH resource files in unintended directories, leading to the execution of arbitrary code. This issue has been resolved in versions 2.8.6, 2.9.6 and 2.10 of Icinga Web 2. Users unable to upgrade should limit access to the Icinga Web 2 configuration.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | icingaweb2 | < icingaweb2 2.9.6-1 (bookworm) | icingaweb2 2.9.6-1 (bookworm) |
| icinga | icinga_web_2 | < 2.8.6 | 2.8.6 |
| icinga | icinga_web_2 | >= 2.9.0 < 2.9.6 | 2.9.6 |
| icinga | icingaweb2 | < 2.8.6 | 2.8.6 |
| icinga | icingaweb2 | — | — |
| icinga | icingaweb2 | >= 0 < 2.9.6-1 | 2.9.6-1 |
| icinga | icingaweb2 | >= 0 < 2.9.6-1 | 2.9.6-1 |
| icinga | icingaweb2 | >= 0 < 2.9.6-1 | 2.9.6-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect path traversal in the SSH resource 'user' field: POST to /icingaweb2/config/createresource with a 'user' parameter containing '../' sequences pointing to /dev/shm/ ↗
- →Detect SSH resource creation with 'name' field containing 'shm/' (path traversal prefix) via POST to /icingaweb2/config/createresource ↗
- →Detect suspicious module path configuration: POST to /icingaweb2/config/general with global_module_path set to /dev/shm/ or other world-writable directories ↗
- →Detect PHP webshell access via the icinga-php-thirdparty path: GET requests to /icingaweb2/lib/icinga/icinga-php-thirdparty/dev/shm/*/run.php ↗
- →Detect rapid sequential POST requests to createresource, config/general, moduleenable, and moduledisable endpoints from the same authenticated session — characteristic of the exploit chain ↗
- →Detect reverse shell execution via dashboard query parameter: GET /icingaweb2/dashboard?<random>=bash+/tmp/<random> pattern indicates RCE stage of exploit ↗
- ·The exploit requires authentication and access to the Icinga Web 2 configuration interface; unauthenticated users cannot trigger this vulnerability. ↗
- ·Fixed versions are 2.8.6, 2.9.6, and 2.10; detections should be prioritised on instances running versions below these thresholds. ↗
- ·Mitigation without patching requires restricting access to the Icinga Web 2 configuration interface entirely. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2022-24715: Icinga Web 2 is an open source monitoring web interface, framework and command-line interface
osv·2022-03-08·CVSS 8.8
CVE-2022-24715 [HIGH] CVE-2022-24715: Icinga Web 2 is an open source monitoring web interface, framework and command-line interface
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Authenticated users, with access to the configuration, can create SSH resource files in unintended directories, leading to the execution of arbitrary code. This issue has been resolved in versions 2.8.6, 2.9.6 and 2.10 of Icinga Web 2. Users unable to upgrade should limit access to the Icinga Web 2 configuration.
Debian
CVE-2022-24715: icingaweb2 - Icinga Web 2 is an open source monitoring web interface, framework and command-l...
vendor_debian·2022·CVSS 8.5
CVE-2022-24715 [HIGH] CVE-2022-24715: icingaweb2 - Icinga Web 2 is an open source monitoring web interface, framework and command-l...
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Authenticated users, with access to the configuration, can create SSH resource files in unintended directories, leading to the execution of arbitrary code. This issue has been resolved in versions 2.8.6, 2.9.6 and 2.10 of Icinga Web 2. Users unable to upgrade should limit access to the Icinga Web 2 configuration.
Scope: local
bookworm: resolved (fixed in 2.9.6-1)
bullseye: open
forky: resolved (fixed in 2.9.6-1)
sid: resolved (fixed in 2.9.6-1)
trixie: resolved (fixed in 2.9.6-1)
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/173516/Icinga-Web-2.10-Remote-Code-Execution.htmlhttps://github.com/Icinga/icingaweb2/commit/a06d915467ca943a4b406eb9587764b8ec34cafbhttps://github.com/Icinga/icingaweb2/security/advisories/GHSA-v9mv-h52f-7g63https://security.gentoo.org/glsa/202208-05http://packetstormsecurity.com/files/173516/Icinga-Web-2.10-Remote-Code-Execution.htmlhttps://github.com/Icinga/icingaweb2/commit/a06d915467ca943a4b406eb9587764b8ec34cafbhttps://github.com/Icinga/icingaweb2/security/advisories/GHSA-v9mv-h52f-7g63https://security.gentoo.org/glsa/202208-05
2022-03-08
Published