Debian has issued an advisory today (February 29): https://www.debian.org/security/2016/dsa-3495 Patched packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated xymon packages fix security vulnerabilities: The incorrect handling of user-supplied input in the "config" command can trigger a stack-based buffer overflow, resulting in denial of service (via application crash) or remote code execution (CVE-2016-2054). The incorrect handling of user-supplied input in the "config" command can lead to an information leak by serving sensitive configuration files to a remote user (CVE-2016-2055). The commands handling password management do not properly validate user-supplied input, and are thus vulnerable to shell command injection by a remote user (CVE-2016-2056). Incorrect permissions on an internal queuing system allow a user with a local account on the xymon master server to bypass all network-based access control lists, and thus inject messages directly into xymon (CVE-2016-2057). Incorrect escaping of user-supplied input in status webpages can be used to trigger reflected cross-site scripting attacks (CVE-2016-2058). Note that to effectively fix CVE-2016-2055, the /etc/xymon/xymonpasswd configuration file should be owned by user and group apache with 640 permissions. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2054 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2055 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2056 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2057 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2058 https://www.debian.org/security/2016/dsa-3495 ======================== Updated packages in core/updates_testing: ======================== xymon-4.3.17-5.1.mga5 xymon-client-4.3.17-5.1.mga5 from xymon-4.3.17-5.1.mga5.src.rpm
Advisory uploaded.
Whiteboard: (none) => advisory
Having a look at this. It is a network monitoring service of some kind. That is all I know yet.
CC: (none) => tarazed25
mga5 x86_64 Mate Googling revealed that this is a server and network monitoring tool, formerly Hobbit, which keeps all its configuration files in one place and uses a browser for display. For security reasons it is recommended that an isolated userid be created for xymon (i.e. not a member of any other groups), ignored for this test. URLs: http://xymon.sourceforge.net Installed xymon and captured the introductory text. $ urpmq -f xymon xymon-4.3.17-5.mga5.x86_64 Edited the XYMONSERVERS entry in /etc/sysconfig/xymon-client. Replace the empty string by a space-separated list of the IP addresses of the LAN nodes to be monitored and optionally set CLIENTHOSTNAME. Ran a check that the service could start # systemctl start xymon.service # systemctl status xymon.service â xymon.service - Xymon systems and network monitor Loaded: loaded (/usr/lib/systemd/system/xymon.service; enabled) Active: active (running) since Wed 2016-03-02 18:57:02 GMT; 15s ago Docs: man:xymon(7) man:xymonlaunch(8) man:xymon(1) Main PID: 11949 (xymonlaunch) CGroup: /system.slice/xymon.service ââ11949 /usr/sbin/xymonlaunch --no-daemon --log=/var/log/xymon/xym... ââ11955 xymond --restart=/var/lib/xymon/tmp/xymond.chk --checkpoin... ââ12067 /bin/sh ââ12069 vmstat 300 2 ââ12076 xymond_channel --channel=stachg xymond_history ââ12077 xymond_channel --channel=page xymond_alert --checkpoint-fi... ââ12078 xymond_channel --channel=client xymond_client ââ12079 xymond_channel --channel=status xymond_rrd --rrddir=/var/l... ââ12080 xymond_channel --channel=data xymond_rrd --rrddir=/var/lib... ââ12081 xymond_channel --channel=clichg xymond_hostdata ââ12087 xymond_rrd --rrddir=/var/lib/xymon/rrd ââ12088 xymond_history Mar 02 18:57:02 vega xymoncmd[11949]: 2016-03-02 18:57:02 Using default env...fg # systemctl stop xymon.service At this point the web server needs to be configured for the xymon user but I have no idea how to approach this. The documentation mentions various files that need to be configured but I don't see them on this system. Like ~/server/etc/xymon-apache.conf For xymon configuration the example xml file refers to /usr/local/xymon/... The default here appears to be /usr/share/xymon/... but where are the apache configuration files?
I can test this one on Mageia infra tomorrow.
CC: (none) => tmb
Might be better. Hoping you are keeping well Thomas. Answering my question, apache? The conf files are here of course: # locate http | grep conf /data/lcl/.kde4/share/config/kio_httprc /etc/asterisk/http.conf /etc/gconf/schemas/system_http_proxy.schemas /etc/httpd/conf /etc/httpd/conf.d /etc/httpd/conf/conf.d /etc/httpd/conf/httpd.conf /etc/httpd/conf/magic /etc/httpd/conf/modules.d /etc/httpd/conf/sites.d /etc/httpd/conf/vhosts.d /etc/httpd/conf/webapps.d
Tested on: Mageia release 5 (Official) for x86_64 Package(s) Under Test: xymon-4.3.17-5.1.mga5.x86_64 Package(s) Testing Pre Upgrade: % sudo urpmf xymon Package xymon-4.3.17-5.mga5.x86_64 is already installed % sudo htpasswd -c /etc/xymon/xymonpasswd admin % sudo chown apache:apache xymonpasswd % sudo chmod 640 xymonpasswd % sudo service xymon restart % sudo service httpd restart Visited http://localhost/xymon and the site came up, monitoring only my local system. Poked around a little though there is little to do with a new install and only one server. Everything is working with the out of the box configuration. I couldn't seem to get the http://locahost/xymon-seccgi/ scripts to work so I'm not sure I got the authentication setup properly. Package(s) Testing Upgrade: % sudo urpmi xymon Package xymon-4.3.17-5.1.mga5.x86_64 is already installed Visited http://localhost/xymon again and confirmed I was not using a cache. Everything still was working and I was able to mark a service as being under maintenance. Again, nothing within http://localhost/xymon-seccgi/ is working, internal server errors. Kernal Version: 4.1.15-desktop-2.mga5 x86_64 Hardware Information: Description: Desktop Computer Product: Virtual Machine Vendor: Microsoft Corporation
CC: (none) => dpremy
Thanks David, don't forget to add the OK if you're happy with it.
I'm not too sure I was ok with the test as I think the xymon-seccgi is where this bug lives in the first place. I posted this mostly for others to have a process to install from and get it running, hopefully with the authentication portion figured out.
Adding feedback for a confirmation. tmb please see comment 6 when you get a chance. Thanks.
Whiteboard: advisory => advisory feedback
Any sysadmin please. Thanks.
CC: (none) => sysadmin-bugs
Validating based on Davids tests.
Keywords: (none) => validated_updateWhiteboard: advisory feedback => advisory mga5-64-ok
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0177.html
Status: NEW => RESOLVEDResolution: (none) => FIXED