CVE-2024-28872: 
NixOS vulnerability analysis and mitigation

A critical vulnerability (CVE-2024-28872) has been discovered in Stork, a popular open-source network monitoring tool for Kea DHCP servers. The vulnerability affects Stork versions 0.15.0 through 1.15.0 and involves a flaw in the TLS certificate validation code. This security issue has received a high severity CVSS score of 8.9, indicating its significant impact potential (NVD, Security Online).

The vulnerability stems from flawed TLS certificate validation implementation. An attacker can obtain a TLS certificate from the Stork server and use it to establish a connection with the Stork agent. The flaw has been assigned a CVSS v3.1 base score of 8.9 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:H, indicating network accessibility with high attack complexity and no privileges or user interaction required (NVD).

Successful exploitation of this vulnerability can lead to multiple severe consequences. Once a connection is established with a valid certificate, attackers can send malicious commands to monitored services (Kea or BIND 9), potentially resulting in confidential data loss, service disruption, and unauthorized configuration modifications. The vulnerability could allow attackers to exfiltrate sensitive configuration data or logs from the Stork server and potentially shut down Kea or BIND 9 servers, causing network outages (Security Online).

Organizations are strongly advised to update their Stork installations to version 1.15.1 or newer, which contains patches for this vulnerability. Additional security measures include implementing network segmentation to restrict access between Stork servers and agents, and maintaining regular monitoring of Stork, Kea, and BIND 9 logs for suspicious activity (Security Online).