michael orlitzky

CVE-2017-16933: Icinga2 root privilege escalation via init script and systemd service

Product
Icinga2
Vendor
NETWAYS GmbH
Versions affected
2.8.0 and earlier (all 2.x versions)
Published on
2017-11-23
Author
Michael Orlitzky
Bug report
https://github.com/Icinga/icinga2/issues/5793
MITRE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16933
OSS-security
Coming soon

Summary

The icinga2 init script (etc/initsystem/icinga2.init.d.cmake) and systemd service file (etc/initsystem/icinga2.service.cmake) allow the unprivileged $ICINGA2_USER to gain root privileges by replacing the target of chown with a link.

Details

The full details, exploit, and mitigation for this class of vulnerabilities are discussed in my article, End root chowning now (make /etc/init.d great again).

Unique to this case is that the bug is located outside of the init script, in prepare-dirs, and that it (therefore) affects the systemd service file as well:

user $ grep prepare-dirs etc/initsystem/icinga2.init.d.cmake

@CMAKE_INSTALL_PREFIX@/lib/icinga2/prepare-dirs $SYSCONFIGFILE

user $ grep prepare-dirs etc/initsystem/icinga2.service.cmake

ExecStartPre=@CMAKE_INSTALL_PREFIX@/lib/icinga2/prepare-dirs @ICINGA2_SYSCONFIGFILE@