From owner-freebsd-ports-bugs@FreeBSD.ORG Mon Dec 8 12:40:03 2008 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EFA731065673 for ; Mon, 8 Dec 2008 12:40:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id CCFB78FC13; Mon, 8 Dec 2008 12:40:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mB8Ce20b086144; Mon, 8 Dec 2008 12:40:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mB8Ce2vu086107; Mon, 8 Dec 2008 12:40:02 GMT (envelope-from gnats) Resent-Date: Mon, 8 Dec 2008 12:40:02 GMT Resent-Message-Id: <200812081240.mB8Ce2vu086107@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Cc: jarrod@netleader.com.au Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Eygene Ryabinkin Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C4488106564A for ; Mon, 8 Dec 2008 12:38:38 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 780E38FC12 for ; Mon, 8 Dec 2008 12:38:38 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from phoenix.codelabs.ru (ppp85-141-66-239.pppoe.mtu-net.ru [85.141.66.239]) by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256) id 1L9fNl-000Ctv-6i for FreeBSD-gnats-submit@freebsd.org; Mon, 08 Dec 2008 15:38:37 +0300 Message-Id: <20081208123837.96AB6B8019@phoenix.codelabs.ru> Date: Mon, 8 Dec 2008 15:38:37 +0300 (MSK) From: Eygene Ryabinkin To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 X-GNATS-Notify: jarrod@netleader.com.au Cc: Subject: ports/129496: [vuxml] net-mgmt/nagios: document CVE-2008-5027 X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Eygene Ryabinkin List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2008 12:40:03 -0000 >Number: 129496 >Category: ports >Synopsis: [vuxml] net-mgmt/nagios: document CVE-2008-5027 >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Dec 08 12:40:01 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-PRERELEASE amd64 >Organization: Code Labs >Environment: System: FreeBSD 7.1-PRERELEASE amd64 >Description: A vulnerability in Nagios's cmd.cgi was discovered and fixed in 3.0.5: ----- http://blogs.op5.org/blog4.php/2008/11/11/nagios-cmd-cgi-authorization-bypass-vuln The evil user then creates the comment so that the textarea contains a newline, and lets the second line contain a completely different command. cmd.cgi only verifies that the user is allowed to submit the first command but sends the entire input to Nagios without checking it for newlines. Nagios reads its command-pipe line-by-line and has no way of picking up the username of the person that submitted the command, so it happily runs all the commands fed to it. For Nagios 2, this wouldn't have been such a big deal. The evil user could stop Nagios entirely, which is ofcourse (very!) bad, but that's where it ends. However, in Nagios 3, the ability to change checkcommands and their arguments was added. Authenticated users can exploit this vulnerability to cause the Nagios process to run arbitrary commands, such as emailing the Nagios configurations (with its accurate map of the network and whatever passwords are stored there) to themselves, or open up remote shell sessions originating from inside the firewall. Bad stuff indeed. ----- >How-To-Repeat: Look at the above URL and CVE-2008-5027, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5027 >Fix: The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- nagios -- arbitrary command submission by authenticated users nagios 3.0.5 2.12_1

Andreas Ericsson reports:

Recently, Tim Starling of the Wikimedia foundation reported an issue that could allow authenticated users to bypass the authorization in cmd.cgi and submit arbitrary commands to Nagios' command pipe.

For Nagios 3.x this results in the ability of running any binary with the privileges of Nagios user via the change of the checkcommands.

 CVE-2008-5027 32156 http://blogs.op5.org/blog4.php/2008/11/11/nagios-cmd-cgi-authorization-bypass-vuln 11-11-2008 TODAY --- vuln.xml ends here --- Please, note that the fix for this issue introduced some regressions in 3.0.5, http://permalink.gmane.org/gmane.comp.security.oss.general/1283 so it is very good to update to 3.0.6. The PR is already here, ports/129409, but it waits for its processing. Moreover, there is a commit in 3.0.6 that disables some commands due to the security reasons: http://nagios.cvs.sourceforge.net/viewvc/nagios/nagios/base/commands.c?r1=1.109&r2=1.110&view=patch The impact is currently unknown, but I will try to research on this. I am currently working at backporting the patches to 2.12 -- it is vulnerable too. Will keep you posted. >Release-Note: >Audit-Trail: >Unformatted: