CVE-2024-49369
Published: 12 November 2024
Summary
CVE-2024-49369 is a critical-severity Improper Certificate Validation (CWE-295) vulnerability in Icinga Icinga. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 3.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Icinga 2 is an open-source monitoring system that performs availability checks, sends outage notifications, and produces performance data. The vulnerability is an improper certificate validation flaw (CWE-295) present in all releases from 2.4.0 onward; the TLS handshake logic failed to correctly enforce certificate constraints, enabling impersonation of both cluster nodes and ApiUser accounts that authenticate via TLS client certificates identified by the client_cn attribute.
An unauthenticated network attacker can exploit the flaw to present a crafted certificate that Icinga 2 will accept as valid, thereby impersonating trusted nodes or privileged API users. Successful exploitation grants the attacker the ability to inject monitoring data, alter configuration, or issue commands with the same privileges as the impersonated entity, corresponding to the observed CVSS 9.8 rating.
The issue is resolved in Icinga 2 versions 2.14.3, 2.13.10, 2.12.11, and 2.11.12. The referenced commits implement stricter certificate validation checks that restore proper enforcement of subject names and trust relationships for both cluster and API-client connections. The EPSS score reached a peak of 0.2551 before receding to its current value of 0.2407.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-43406
Vulnerability details
Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. The TLS certificate validation in all Icinga 2 versions starting from 2.4.0 was flawed, allowing an attacker to…
more
impersonate both trusted cluster nodes as well as any API users that use TLS client certificates for authentication (ApiUser objects with the client_cn attribute set). This vulnerability has been fixed in v2.14.3, v2.13.10, v2.12.11, and v2.11.12.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
When certificates are used to establish component provenance, the control requires correct certificate validation procedures.
Mandates approved trust anchors and issuance policies, directly preventing acceptance of unvalidated or untrusted certificates.
Correct system time is required for proper enforcement of certificate notBefore/notAfter dates and time-based revocation checks.