Icinga 2 and Icinga for Windows Insecure File Permissions Vulnerability on Windows

A vulnerability exists in Icinga 2 versions 2.3.0 through 2.15.1 and in Icinga for Windows versions prior to 1.13.4, 1.12.4, and 1.11.2. The issue arises because the Icinga 2 MSI package did not apply the correct permissions to the '%ProgramData%\icinga2\var' directory on Windows. As a result, the folder's contents, which include the user's private key and synchronized configuration, were accessible to all local users. This vulnerability affects all Windows installations of Icinga 2.

Impact

The improper permissions allow all local users to read sensitive information from the affected directories, including private keys and configuration files.

Remediation

Users can upgrade Icinga 2 to versions 2.15.2, 2.14.8, or 2.13.14. For Icinga for Windows, versions 1.13.4, 1.12.4, or 1.11.2 should be installed. If an upgrade is not possible, the permissions can be manually adjusted to restrict access for general users, allowing only the Icinga service user and administrators to access the folders.