Date: Mon, 8 Dec 2008 15:38:37 +0300 (MSK) From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/129496: [vuxml] net-mgmt/nagios: document CVE-2008-5027 Message-ID: <20081208123837.96AB6B8019@phoenix.codelabs.ru> Resent-Message-ID: <200812081240.mB8Ce2vu086107@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 129496 >Category: ports >Synopsis: [vuxml] net-mgmt/nagios: document CVE-2008-5027 >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Dec 08 12:40:01 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-PRERELEASE amd64 >Organization: Code Labs >Environment: System: FreeBSD 7.1-PRERELEASE amd64 >Description: A vulnerability in Nagios's cmd.cgi was discovered and fixed in 3.0.5: ----- http://blogs.op5.org/blog4.php/2008/11/11/nagios-cmd-cgi-authorization-bypass-vuln The evil user then creates the comment so that the textarea contains a newline, and lets the second line contain a completely different command. cmd.cgi only verifies that the user is allowed to submit the first command but sends the entire input to Nagios without checking it for newlines. Nagios reads its command-pipe line-by-line and has no way of picking up the username of the person that submitted the command, so it happily runs all the commands fed to it. For Nagios 2, this wouldn't have been such a big deal. The evil user could stop Nagios entirely, which is ofcourse (very!) bad, but that's where it ends. However, in Nagios 3, the ability to change checkcommands and their arguments was added. Authenticated users can exploit this vulnerability to cause the Nagios process to run arbitrary commands, such as emailing the Nagios configurations (with its accurate map of the network and whatever passwords are stored there) to themselves, or open up remote shell sessions originating from inside the firewall. Bad stuff indeed. ----- >How-To-Repeat: Look at the above URL and CVE-2008-5027, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5027 >Fix: The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- <vuln vid="ba536854-c518-11dd-b2e0-001fc66e7203"> <topic>nagios -- arbitrary command submission by authenticated users</topic> <affects> <package> <name>nagios</name> <range><lt>3.0.5</lt></range> <range><le>2.12_1</le></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; <p>Andreas Ericsson reports:</p> <blockquote cite="http://blogs.op5.org/blog4.php/2008/11/11/nagios-cmd-cgi-authorization-bypass-vuln">; <p>Recently, Tim Starling of the Wikimedia foundation reported an issue that could allow authenticated users to bypass the authorization in cmd.cgi and submit arbitrary commands to Nagios' command pipe.</p> </blockquote> <p>For Nagios 3.x this results in the ability of running any binary with the privileges of Nagios user via the change of the checkcommands.</p> </body> </description> <references> <cvename>CVE-2008-5027</cvename> <bid>32156</bid> <url>http://blogs.op5.org/blog4.php/2008/11/11/nagios-cmd-cgi-authorization-bypass-vuln</url>; </references> <dates> <discovery>11-11-2008</discovery> <entry>TODAY</entry> </dates> </vuln> --- vuln.xml ends here --- Please, note that the fix for this issue introduced some regressions in 3.0.5, http://permalink.gmane.org/gmane.comp.security.oss.general/1283 so it is very good to update to 3.0.6. The PR is already here, ports/129409, but it waits for its processing. Moreover, there is a commit in 3.0.6 that disables some commands due to the security reasons: http://nagios.cvs.sourceforge.net/viewvc/nagios/nagios/base/commands.c?r1=1.109&r2=1.110&view=patch The impact is currently unknown, but I will try to research on this. I am currently working at backporting the patches to 2.12 -- it is vulnerable too. Will keep you posted. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081208123837.96AB6B8019>