Even unauthenticated cybercriminals might run malicious PHP code and hijack computers thanks to a couple of vulnerabilities in the web control panel of the IT monitoring system Icinga. Two path traversal flaws and a vulnerability that allows arbitrary PHP code to be executed from the administrator interface were recently addressed as web-related vulnerabilities uncovered by security researchers at SonarSource.
CVE-2022-24716 is a route traversal problem in Icinga Web 2, whereas CVE-2022-24715 is a second path traversal bug that also takes advantage of PHP’s behavior while verifying an SSH key with a NULL byte. The OpenSSL core extension contains the PHP vulnerability.
According to SonarSource, these vulnerabilities may easily be linked together to exploit a system. Patches are available, and Icinga Web versions 2.8.6, 2.9.6, and 2.10 should be updated. Users should update their installation and rotate their credentials as an added precaution.
Icinga is an open-source IT monitoring system that includes several plugins that may be used to track network traffic, disk space, and services on monitored hosts. The faults in the web management panel for the technology, known as Icinga Web 2, are the source of the vulnerabilities.
Due to the path traversal vulnerability, attackers might read the contents of any local system files exposed to the webserver user, including icingaweb2 configuration files containing database credentials. The CVE-2022-24715 issue allows arbitrary PHP code to be executed from the administrator interface.
According to the latest technical blog post by SonarSource, the two vulnerabilities can “easily [be] chained [together] to compromise the server from an unauthenticated position if the attacker can reach the database by first disclosing configuration files and modifying the administrator’s password.”
SonarSource was questioned whether the vulnerabilities had been exploited in the wild and what lessons its discoveries may teach other software developers. However, no response has yet been received.
