Icinga 2 Privilege Escalation Vulnerability via PID File Signal Manipulation

A vulnerability in Icinga 2 versions 2.10.0 prior to 2.15.1, as well as in versions 2.14.7 and 2.13.13, allows the Icinga 2 daemon user to send signals to arbitrary processes as the root user. This issue arises because the safe-reload script and logrotate configuration read the PID of the Icinga 2 process from a PID file that the daemon user can write to, and then send signals as root. The vulnerability could be exploited by replacing the PID file with a symbolic link or named pipe, leading to a local denial-of-service, or by inserting an arbitrary PID to disrupt other processes. This issue is particularly concerning if the Icinga service user account is compromised.

Impact

Exploitation of this vulnerability could lead to unauthorized signaling of processes, potentially causing disruption or interference with those processes.

Reproduction

The vulnerability can be reproduced by modifying the Icinga 2 PID file to include an arbitrary PID or by replacing it with a symbolic link or named pipe. Then, invoke the safe-reload script or the logrotate configuration, which will read the manipulated PID file and send signals to the specified process, bypassing normal permission restrictions.

Remediation

Users should upgrade to Icinga 2 versions 2.15.1, 2.14.7, or 2.13.13. After upgrading, check the logrotate configuration file at '/etc/logrotate.d/icinga2' to ensure it has been updated correctly. If the file still uses the 'kill' command to send signals, it needs to be modified to use the 'icinga2 internal signal' command instead.