Bug 24290

Summary: nagios new security issues CVE-2018-13441, CVE-2018-1345[78], CVE-2018-18245
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, guillomovitch, herman.viaene, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK MGA6-64-OK
Source RPM: nagios-4.3.1-2.1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2019-02-01 22:25:09 CET 
Fedora has issued an advisory on January 30:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3EGOZ3JA6TL3YUZ3XWYQ47OYQAJTWOTL/

The issues appear to have been fixed in 4.4.3.

Reference for the first CVE:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8641
Comment 1 Guillaume Rousse 2019-02-20 23:16:38 CET 
nagios-4.3.1-2.2.mga6 submitted in updates_testing, fixing CVE-2018-13441, CVE-2018-1345[78] and CVE-2018-18245. We're not affected CVE-2016-8641, which only concerns sysinit service script.
Guillaume Rousse 2019-02-20 23:17:04 CET

Assignee: guillomovitch => qa-bugs

Comment 2 David Walser 2019-02-20 23:35:23 CET 
Thanks Guillaume!

Advisory:
========================

Updated nagios packages fix security vulnerabilities:

A flaw was found in Nagios Core version 4.4.1 and earlier. The qh_help function
is prone to a NULL pointer dereference vulnerability, which allows attacker to
cause a local denial-of-service condition by sending a crafted payload to the
listening UNIX socket (CVE-2018-13441).

A flaw was found in Nagios Core version 4.4.1 and earlier. The qh_echo function
is prone to a NULL pointer dereference vulnerability, which allows attacker to
cause a local denial-of-service condition by sending a crafted payload to the
listening UNIX socket (CVE-2018-13457).

A flaw was found in Nagios Core version 4.4.1 and earlier. The qh_core function
is prone to a NULL pointer dereference vulnerability, which allows attacker to
cause a local denial-of-service condition by sending a crafted payload to the
listening UNIX socket (CVE-2018-13458).

A cross-site scripting (XSS) vulnerability has been discovered in Nagios Core.
This vulnerability allows attackers to place malicious JavaScript code into the
web frontend through manipulation of plugin output. In order to do this the
attacker needs to be able to manipulate the output returned by nagios checks,
e.g. by replacing a plugin on one of the monitored endpoints. Execution of the
payload then requires that an authenticated user creates an alert summary
report which contains the corresponding output (CVE-2018-18245).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13441
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13457
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13458
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18245
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3EGOZ3JA6TL3YUZ3XWYQ47OYQAJTWOTL/
========================

Updated packages in core/updates_testing:
========================
nagios-4.3.1-2.2.mga6
nagios-www-4.3.1-2.2.mga6
nagios-devel-4.3.1-2.2.mga6

from nagios-4.3.1-2.2.mga6.src.rpm

CC: (none) => guillomovitch
Summary: nagios new security issues CVE-2016-8641, CVE-2018-13441, CVE-2018-1345[78], CVE-2018-18245 => nagios new security issues CVE-2018-13441, CVE-2018-1345[78], CVE-2018-18245

Comment 3 Herman Viaene 2019-02-21 20:49:19 CET 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Followed procedure in Wiki
At CLI:
# systemctl  -l status httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: enabled)
   Active: active (running) since do 2019-02-21 20:35:52 CET; 3min 8s ago
 Main PID: 19415 (httpd)
   Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec:   0 B/sec"
   CGroup: /system.slice/httpd.service
           ├─19415 /usr/sbin/httpd -DFOREGROUND
           ├─19419 /usr/sbin/httpd -DFOREGROUND
           ├─19420 /usr/sbin/httpd -DFOREGROUND
           ├─19421 /usr/sbin/httpd -DFOREGROUND
           ├─19422 /usr/sbin/httpd -DFOREGROUND
           └─19423 /usr/sbin/httpd -DFOREGROUND

feb 21 20:35:49 mach6.hviaene.thuis systemd[1]: Stopped The Apache HTTP Server.
feb 21 20:35:49 mach6.hviaene.thuis systemd[1]: Starting The Apache HTTP Server...
feb 21 20:35:52 mach6.hviaene.thuis systemd[1]: Started The Apache HTTP Server.
# systemctl  -l status nagios
● nagios.service - Nagios network monitor
   Loaded: loaded (/usr/lib/systemd/system/nagios.service; enabled; vendor preset: enabled)
   Active: inactive (dead)
# systemctl  -l start nagios
# systemctl  -l status nagios
● nagios.service - Nagios network monitor
   Loaded: loaded (/usr/lib/systemd/system/nagios.service; enabled; vendor preset: enabled)
   Active: active (running) since do 2019-02-21 20:39:30 CET; 2s ago
  Process: 19801 ExecStart=/usr/sbin/nagios -d /etc/nagios/nagios.cfg (code=exited, status=0/SUCCESS)
 Main PID: 19803 (nagios)
   CGroup: /system.slice/nagios.service
           ├─19803 /usr/sbin/nagios -d /etc/nagios/nagios.cfg
           ├─19805 /usr/sbin/nagios --worker /var/spool/nagios/nagios.qh
           ├─19806 /usr/sbin/nagios --worker /var/spool/nagios/nagios.qh
           ├─19807 /usr/sbin/nagios --worker /var/spool/nagios/nagios.qh
           ├─19808 /usr/sbin/nagios --worker /var/spool/nagios/nagios.qh
           └─19809 /usr/sbin/nagios -d /etc/nagios/nagios.cfg

feb 21 20:39:30 mach6.hviaene.thuis nagios[19803]: nerd: Channel hostchecks registered successfully
feb 21 20:39:30 mach6.hviaene.thuis nagios[19803]: nerd: Channel servicechecks registered successfully
feb 21 20:39:30 mach6.hviaene.thuis nagios[19803]: nerd: Channel opathchecks registered successfully
feb 21 20:39:30 mach6.hviaene.thuis nagios[19803]: nerd: Fully initialized and ready to rock!
feb 21 20:39:30 mach6.hviaene.thuis nagios[19803]: wproc: Successfully registered manager as @wproc with 
feb 21 20:39:30 mach6.hviaene.thuis nagios[19803]: wproc: Registry request: name=Core Worker 19807;pid=19
feb 21 20:39:30 mach6.hviaene.thuis nagios[19803]: wproc: Registry request: name=Core Worker 19808;pid=19
feb 21 20:39:30 mach6.hviaene.thuis nagios[19803]: wproc: Registry request: name=Core Worker 19806;pid=19
feb 21 20:39:30 mach6.hviaene.thuis nagios[19803]: wproc: Registry request: name=Core Worker 19805;pid=19
feb 21 20:39:30 mach6.hviaene.thuis nagios[19803]: Successfully launched command file worker with pid 198

Checked info on different tabs and created (empty) graph on Trends section
All looks OK

CC: (none) => herman.viaene
Whiteboard: (none) => MGA6-32-OK

Comment 4 Thomas Andrews 2019-03-04 16:00:59 CET 
Testing x86_64 for clean install only, as anything else is beyond my capability.

Installed nagios 4.3.1-2.1, which pulled in several nagios-check packages, but by no means all of them. Also installed nagios-www. All packages installed cleanly.

Used the package list from Comment 2 in the qarepo tool to update those packages. Again both packages installed cleanly.

Giving this the 64-bit OK on the basis of that clean install. Validating on the basis of Herman's 32-bit tests. Suggested advisory in Comment 2.

Keywords: (none) => validated_update
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2019-03-06 22:21:38 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2019-03-07 17:35:50 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0104.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED