CVE-2021-32739: 
Icinga vulnerability analysis and mitigation

A privilege escalation vulnerability (CVE-2021-32739) was discovered in Icinga2, a general-purpose monitoring application, affecting versions 2.4.0 through 2.12.4. The vulnerability allows authenticated API users with read-only permissions to access sensitive configuration attributes (GitHub Advisory, Debian LTS).

The vulnerability allows authenticated API users with read-only permissions to view attributes of all config objects, including the ticket_salt of ApiListener. This salt can be used to compute a ticket for any common name (CN). Combined with the master node's certificate and a self-signed certificate, an attacker can successfully request desired certificates from Icinga, which can then be used to steal endpoint or API user identities (GitHub Advisory).

The vulnerability enables privilege escalation where an attacker with read-only API access can potentially gain administrative access to the system. By obtaining the ticket salt, attackers can generate valid certificates for any identity, effectively bypassing the intended access controls (GitHub Advisory).

Users should upgrade to version 2.12.5 or 2.11.10 which contain the fix. Alternative workarounds include explicitly specifying queryable types in API user permissions or filtering out ApiListener objects using permission filters. Additionally, it is recommended to change the ticket salt and replace the Icinga CA after applying the update (GitHub Advisory).