CVE-2024-49369 Overview This vulnerability leverages the Icinga JSON-RPC protocol to exploit monitored nodes running Icinga agents. By impersonating a Master/Satellite instance, attackers can potentially take over agents, execute arbitrary commands, or gain sensitive information. How to Use Scanning To scan a subnet for vulnerable agents, run the following command: bash python3 main.py scan –subnet 192.168.0.0/24 –vuln –batch 25 This scans the specified subnet in batches of 25 IPs. The tool sends an Icinga::HELLO message over the JSON-RPC protocol and identifies responding agents along with their versions. Exploiting If configuration and command execution is enabled on an endpoint (the default setting for monitored nodes with Icinga agents), an attacker can: Impersonate a Master/Satellite instance. Update the endpoint configuration. Execute arbitrary commands on the endpoint. This can lead to full system compromise (depending on the service user) or limited access. Prerequisites Network disruptions or a restart of the target: The Icinga agent automatically rejects new connections from the same Master/Satellite instance until the existing connection is severed. When the parent node is still connected, the exploit connections will look like this in the log: [2024-12-11 09:13:03 -0500] information/ApiListener: New client connection for identity 'my_satellite' from [::ffff:192.168.0.1]:48120 [2024-12-11 09:13:04 -0500] information/ApiListener: New client connection for…Read More
