Vulnerability Name:

CVE-2020-14004 (CCN-183356)

Assigned:2020-06-12
Published:2020-06-12
Updated:2022-11-16
Summary:An issue was discovered in Icinga2 before v2.12.0-rc1. The prepare-dirs script (run as part of the icinga2 systemd service) executes chmod 2750 /run/icinga2/cmd. /run/icinga2 is under control of an unprivileged user by default. If /run/icinga2/cmd is a symlink, then it will by followed and arbitrary files can be changed to mode 2750 by the unprivileged icinga2 user.
CVSS v3 Severity:7.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
6.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
4.0 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
3.5 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.6 Medium (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
2.1 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-59
Vulnerability Consequences:File Manipulation
References:Source: MITRE
Type: CNA
CVE-2020-14004

Source: SUSE
Type: Broken Link, Mailing List, Third Party Advisory
openSUSE-SU-2020:1820

Source: CONFIRM
Type: Exploit, Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2020/06/12/1

Source: MISC
Type: Broken Link, Issue Tracking
https://bugzilla.suse.com/show_bug.cgi?id=CVE-2020-14004

Source: XF
Type: UNKNOWN
icinga-cve202014004-symlink(183356)

Source: MISC
Type: Third Party Advisory
https://github.com/Icinga/icinga2/compare/v2.12.0-rc1...master

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/Icinga/icinga2/pull/8045/commits/2f0f2e8c355b75fa4407d23f85feea037d2bc4b6

Source: MISC
Type: Release Notes, Third Party Advisory
https://github.com/Icinga/icinga2/releases

Source: CCN
Type: icinga Web site
icinga

Source: CCN
Type: oss-sec Mailing List, Thu, 4 Jun 2020 10:30:41 +0530 (IST)
icinga2: CVE-2020-14004: prepare-dirs script allows for symlink attack in the icinga user context

Source: CCN
Type: oss-sec Mailing List, Fri, 12 Jun 2020 08:16:23 -0400
Re: icinga2: CVE-2020-14004: prepare-dirs script allows for symlink attack in the icinga user context

Vulnerable Configuration:Configuration 1:
  • cpe:/a:icinga:icinga:2.12.0:rc1:*:*:*:*:*:*
  • OR cpe:/a:icinga:icinga:*:*:*:*:*:*:*:* (Version >= 2.0.0 and <= 2.11.3)

    • Configuration 2:
  • cpe:/o:opensuse:leap:15.1:*:*:*:*:*:*:*
  • OR cpe:/a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*
  • OR cpe:/o:opensuse:leap:15.2:*:*:*:*:*:*:*
  • OR cpe:/a:opensuse:backports_sle:15.0:sp2:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:202014004
    V
    		CVE-2020-14004
    2022-06-30
    oval:org.opensuse.security:def:112427
    P
    		icinga2-2.13.1-1.3 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:64794
    P
    		Security update for binutils (Moderate)
    2021-11-04
    oval:org.opensuse.security:def:64589
    P
    		Security update for glibc (Moderate)
    2021-10-12
    oval:org.opensuse.security:def:105933
    P
    		icinga2-2.13.1-1.3 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:63200
    P
    		davfs2-1.5.4-1.4 on GA media (Moderate)
    2021-09-21
    oval:org.opensuse.security:def:63349
    P
    		libslirp-devel-4.3.1-1.51 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:62744
    P
    		ftdump-2.10.1-4.8.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:64550
    P
    		Security update for libvirt (Moderate)
    2021-07-27
    oval:org.opensuse.security:def:74655
    P
    		Security update for the Linux Kernel (Important)
    2021-07-21
    oval:org.opensuse.security:def:63540
    P
    		gstreamer-plugins-ugly-1.12.5-1.35 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:64687
    P
    		Security update for dtc (Low)
    2021-05-13
    oval:org.opensuse.security:def:64686
    P
    		Security update for openvpn (Moderate)
    2021-05-12
    oval:org.opensuse.security:def:64477
    P
    		Security update for ruby2.5 (Moderate)
    2021-04-20
    oval:org.opensuse.security:def:63402
    P
    		tomcat-9.0.14-2.16 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:63171
    P
    		memcached-1.5.6-2.10 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:63642
    P
    		pidgin-plugin-otr-4.0.2-1.61 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:62921
    P
    		perl-Tk-devel-804.034-1.44 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:64896
    P
    		Security update for python (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:65066
    P
    		Security update for the Linux Kernel (Important)
    2020-12-01
    oval:org.opensuse.security:def:64333
    P
    		libidn2-0 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:63766
    P
    		Security update for apache-commons-beanutils (Important)
    2020-12-01
    oval:org.opensuse.security:def:75141
    P
    		Security update for icinga2 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:64227
    P
    		clamav on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:63845
    P
    		Security update for permissions (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:74529
    P
    		Security update for MozillaFirefox (Important)
    2020-12-01
    oval:org.opensuse.security:def:64221
    P
    		btrfsmaintenance on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:64954
    P
    		Security update for autoyast2 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:75008
    P
    		Security update for tomcat (Important)
    2020-12-01
    oval:org.opensuse.security:def:64435
    P
    		perl-LWP-Protocol-https on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:64093
    P
    		Security update for apache-commons-httpclient (Important)
    2020-12-01
    oval:org.opensuse.security:def:63992
    P
    		Security update for sudo (Important)
    2020-12-01
    oval:org.opensuse.security:def:110836
    P
    		Security update for icinga2 (Moderate)
    2020-11-03
    oval:org.opensuse.security:def:96382
    P
    		Security update for icinga2 (Moderate)
    2020-11-03
    oval:org.opensuse.security:def:100257
    P
    		Security update for icinga2 (Moderate)
    2020-11-03
    oval:org.opensuse.security:def:109729
    P
    		Security update for icinga2 (Moderate)
    2020-11-03
    oval:org.opensuse.security:def:103072
    P
    		Security update for icinga2 (Moderate)
    2020-11-03
    oval:org.opensuse.security:def:110279
    P
    		Security update for icinga2 (Moderate)
    2020-11-03
    oval:org.opensuse.security:def:93544
    P
    		Security update for icinga2 (Moderate)
    2020-11-03
    BACK
    icinga icinga 2.12.0 rc1
    icinga icinga *
    opensuse leap 15.1
    opensuse backports sle 15.0 sp1
    opensuse leap 15.2
    opensuse backports sle 15.0 sp2