michael orlitzky

CVE-2017-16933: Icinga2 root privilege escalation via init script and systemd service

posted 2017-11-23

Product

Icinga2

Vendor

NETWAYS GmbH

Versions affected

2.8.0 and earlier (all 2.x versions)

Published on

2017-11-23

Bug report

https://github.com/Icinga/icinga2/issues/5793

MITRE

CVE-2017-16933

OSS-security

https://www.openwall.com/lists/oss-security/2018/01/17/1

Summary

The icinga2 init script (etc/initsystem/icinga2.init.d.cmake) and systemd service file (etc/initsystem/icinga2.service.cmake) allow the unprivileged $ICINGA2_USER to gain root privileges by replacing the target of chown with a link.

Details

The full details, exploit, and mitigation for this class of vulnerabilities are discussed in my article, End root chowning now (make /etc/init.d great again).

Unique to this case is that the bug is located outside of the init script, in prepare-dirs, and that it (therefore) affects the systemd service file as well:

user $ grep prepare-dirs etc/initsystem/icinga2.init.d.cmake

@CMAKE_INSTALL_PREFIX@/lib/icinga2/prepare-dirs $SYSCONFIGFILE

user $ grep prepare-dirs etc/initsystem/icinga2.service.cmake

ExecStartPre=@CMAKE_INSTALL_PREFIX@/lib/icinga2/prepare-dirs @ICINGA2_SYSCONFIGFILE@