Icinga for Windows and Icinga 2 Insecure File Permissions Allow Private Key Exposure

A vulnerability exists in Icinga for Windows versions prior to 1.13.4, 1.12.4, and 1.11.2, as well as in Icinga 2 versions 2.3 through 2.15.1. The issue arises because the 'certificate' directory in Icinga for Windows and the 'var' directory in Icinga 2 on Windows do not have proper permissions set. This oversight allows all local users to read sensitive contents, including private keys and configuration data. All installations on Windows are affected.

Impact

The improper permissions in the Icinga for Windows 'certificate' directory and the Icinga 2 'var' directory expose private keys and other sensitive information to all local users.

Remediation

Users can manually update the Access Control List (ACL) for the affected directories to restrict access for general users, allowing only the Icinga service user and administrators to access them. Alternatively, Icinga for Windows can be upgraded to version 1.13.4, 1.12.4, or 1.11.2, which will automatically fix the permission issue for the Icinga 2 agent as well. Icinga 2 can be upgraded to version 2.15.2, 2.14.8, or 2.13.14.