Bug 17846

Summary:	xymon new security issues CVE-2015-205[4-8]
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	dpremy, sysadmin-bugs, tarazed25, tmb
Version:	5	Keywords:	validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
URL:	http://lwn.net/Vulnerabilities/677960/
Whiteboard:	advisory mga5-64-ok
Source RPM:	xymon-4.3.17-5.mga5.src.rpm	CVE:
Status comment:

Description David Walser 2016-02-29 23:36:08 CET

Debian has issued an advisory today (February 29):
https://www.debian.org/security/2016/dsa-3495

Patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated xymon packages fix security vulnerabilities:


The incorrect handling of user-supplied input in the "config" command can
trigger a stack-based buffer overflow, resulting in denial of service (via
application crash) or remote code execution (CVE-2016-2054).

The incorrect handling of user-supplied input in the "config" command can
lead to an information leak by serving sensitive configuration files to a
remote user (CVE-2016-2055).

The commands handling password management do not properly validate
user-supplied input, and are thus vulnerable to shell command injection by a
remote user (CVE-2016-2056).

Incorrect permissions on an internal queuing system allow a user with a local
account on the xymon master server to bypass all network-based access control
lists, and thus inject messages directly into xymon (CVE-2016-2057).

Incorrect escaping of user-supplied input in status webpages can be used to
trigger reflected cross-site scripting attacks (CVE-2016-2058).

Note that to effectively fix CVE-2016-2055, the /etc/xymon/xymonpasswd
configuration file should be owned by user and group apache with 640
permissions.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2054
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2055
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2056
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2057
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2058
https://www.debian.org/security/2016/dsa-3495
========================

Updated packages in core/updates_testing:
========================
xymon-4.3.17-5.1.mga5
xymon-client-4.3.17-5.1.mga5

from xymon-4.3.17-5.1.mga5.src.rpm

Comment 1 claire robinson 2016-03-01 19:39:38 CET

Advisory uploaded.

Whiteboard: (none) => advisory

Comment 2 Len Lawrence 2016-03-02 19:32:45 CET

Having a look at this.  It is a network monitoring service of some kind.  That is all I know yet.

CC: (none) => tarazed25

Comment 3 Len Lawrence 2016-03-02 20:38:30 CET

mga5 x86_64 Mate

Googling revealed that this is a server and network monitoring tool, formerly
Hobbit, which keeps all its configuration files in one place and uses a
browser for display. For security reasons it is recommended that an isolated
userid be created for xymon (i.e. not a member of any other groups), ignored
for this test.
URLs:
http://xymon.sourceforge.net

Installed xymon and captured the introductory text.
$ urpmq -f xymon
xymon-4.3.17-5.mga5.x86_64

Edited the XYMONSERVERS entry in /etc/sysconfig/xymon-client.
Replace the empty string by a space-separated list of the IP addresses of the LAN nodes to be monitored and optionally set CLIENTHOSTNAME.
Ran a check that the service could start
# systemctl start xymon.service
# systemctl status xymon.service
â xymon.service - Xymon systems and network monitor
Loaded: loaded (/usr/lib/systemd/system/xymon.service; enabled)
Active: active (running) since Wed 2016-03-02 18:57:02 GMT; 15s ago
Docs: man:xymon(7)
man:xymonlaunch(8)
man:xymon(1)
Main PID: 11949 (xymonlaunch)
CGroup: /system.slice/xymon.service
ââ11949 /usr/sbin/xymonlaunch --no-daemon --log=/var/log/xymon/xym...
ââ11955 xymond --restart=/var/lib/xymon/tmp/xymond.chk --checkpoin...
ââ12067 /bin/sh
ââ12069 vmstat 300 2
ââ12076 xymond_channel --channel=stachg xymond_history
ââ12077 xymond_channel --channel=page xymond_alert --checkpoint-fi...
ââ12078 xymond_channel --channel=client xymond_client
ââ12079 xymond_channel --channel=status xymond_rrd --rrddir=/var/l...
ââ12080 xymond_channel --channel=data xymond_rrd --rrddir=/var/lib...
ââ12081 xymond_channel --channel=clichg xymond_hostdata
ââ12087 xymond_rrd --rrddir=/var/lib/xymon/rrd
ââ12088 xymond_history

Mar 02 18:57:02 vega xymoncmd[11949]: 2016-03-02 18:57:02 Using default env...fg
# systemctl stop xymon.service

At this point the web server needs to be configured for the xymon user but I have no idea how to approach this. The documentation mentions various files that need to be configured but I don't see them on this system. Like
~/server/etc/xymon-apache.conf
For xymon configuration the example xml file refers to /usr/local/xymon/...
The default here appears to be /usr/share/xymon/... but where are the apache
configuration files?

Comment 4 Thomas Backlund 2016-03-02 20:46:22 CET

I can test this one on Mageia infra tomorrow.

CC: (none) => tmb

Comment 5 Len Lawrence 2016-03-02 20:55:42 CET

Might be better.  Hoping you are keeping well Thomas.

Answering my question, apache?
The conf files are here of course:
# locate http | grep conf
/data/lcl/.kde4/share/config/kio_httprc
/etc/asterisk/http.conf
/etc/gconf/schemas/system_http_proxy.schemas
/etc/httpd/conf
/etc/httpd/conf.d
/etc/httpd/conf/conf.d
/etc/httpd/conf/httpd.conf
/etc/httpd/conf/magic
/etc/httpd/conf/modules.d
/etc/httpd/conf/sites.d
/etc/httpd/conf/vhosts.d
/etc/httpd/conf/webapps.d

Comment 6 David Remy 2016-03-07 21:53:47 CET

Tested on:
Mageia release 5 (Official) for x86_64

Package(s) Under Test:
  xymon-4.3.17-5.1.mga5.x86_64

Package(s) Testing Pre Upgrade:
  % sudo urpmf xymon
  Package xymon-4.3.17-5.mga5.x86_64 is already installed

  % sudo htpasswd -c /etc/xymon/xymonpasswd admin
  % sudo chown apache:apache xymonpasswd
  % sudo chmod 640 xymonpasswd

  % sudo service xymon restart
  % sudo service httpd restart

  Visited http://localhost/xymon and the site came up, monitoring only my local system. Poked around a little though there is little to do with a new install and only one server. Everything is working with the out of the box configuration. I couldn't seem to get the http://locahost/xymon-seccgi/ scripts to work so I'm not sure I got the authentication setup properly.

Package(s) Testing Upgrade:
  % sudo urpmi xymon
  Package xymon-4.3.17-5.1.mga5.x86_64 is already installed

  Visited http://localhost/xymon again and confirmed I was not using a cache. Everything still was working and I was able to mark a service as being under maintenance. Again, nothing within http://localhost/xymon-seccgi/ is working, internal server errors.

Kernal Version:
  4.1.15-desktop-2.mga5 x86_64

Hardware Information:
  Description: Desktop Computer
  Product: Virtual Machine
  Vendor: Microsoft Corporation

CC: (none) => dpremy

Comment 7 claire robinson 2016-03-09 19:11:31 CET

Thanks David, don't forget to add the OK if you're happy with it.

Comment 8 David Remy 2016-03-09 22:46:56 CET

I'm not too sure I was ok with the test as I think the xymon-seccgi is where this bug lives in the first place. I posted this mostly for others to have a process to install from and get it running, hopefully with the authentication portion figured out.

Comment 9 claire robinson 2016-03-15 20:07:11 CET

Adding feedback for a confirmation. tmb please see comment 6 when you get a chance. Thanks.

Whiteboard: advisory => advisory feedback

Comment 10 claire robinson 2016-04-28 17:46:56 CEST

Any sysadmin please. Thanks.

CC: (none) => sysadmin-bugs

Comment 11 claire robinson 2016-05-18 18:12:29 CEST

Validating based on Davids tests.

Keywords: (none) => validated_update
Whiteboard: advisory feedback => advisory mga5-64-ok

Comment 12 Mageia Robot 2016-05-18 22:15:16 CEST

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0177.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED