Icinga 2 Certificate Validation Vulnerability Allowing Impersonation of Trusted Nodes

A vulnerability exists in Icinga 2 versions through 2.14.5, where the VerifyCertificate() function can be manipulated to incorrectly validate certificates. This flaw enables an attacker to send a malicious certificate request that is mistakenly recognized as a renewal of an existing certificate. As a result, the attacker can obtain a valid certificate to impersonate trusted nodes. This issue arises only when Icinga 2 is compiled with OpenSSL versions prior to 1.1.0, which introduced changes to how certificate validity is managed. The vulnerability can be exploited by establishing a direct TLS connection to a master node that signs certificates, or it can occur on other nodes that forward the request to the master.

Impact

Successful exploitation allows an attacker to obtain a valid certificate that can be used to impersonate trusted nodes in the network.

Reproduction

To reproduce this vulnerability, first ensure that Icinga 2 is running a version prior to 2.14.5 and is built with OpenSSL older than 1.1.0. Verify the OpenSSL version by running 'icinga2 --version | grep OpenSSL'. If the version is vulnerable, initiate a direct TLS connection to a master node capable of signing certificates. Send a certificate request that exploits the validation flaw, such as one that is not properly signed by a trusted CA. The master node will incorrectly validate the certificate, allowing the attacker to obtain a valid certificate for impersonation.

Remediation

Upgrade Icinga 2 to version 2.14.6, 2.13.12, or 2.12.12. Instructions for upgrading can be found in the Icinga 2 Release Announcement.