Bug 28557 - nagios new security issue CVE-2020-13977
Summary: nagios new security issue CVE-2020-13977
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-03-08 18:03 CET by David Walser
Modified: 2021-05-12 11:58 CEST (History)
5 users (show)

See Also:
Source RPM: nagios-4.4.3-2.mga7.src.rpm
CVE: CVE-2020-13977
Status comment:


Attachments

Description David Walser 2021-03-08 18:03:28 CET
Fedora has issued an advisory on March 7:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JUEIABR4Y6L5J5MZDFWU46ZWXMJO64U3/

The issue is fixed upstream in 4.4.6.
David Walser 2021-03-08 18:03:41 CET

Status comment: (none) => Fixed upstream in 4.4.6

Comment 1 Lewis Smith 2021-03-08 20:27:40 CET
M8 already has nagios-4.4.6-2.mga8.src.rpm.

Seems best to assign this to Guillaume, its maintainer.

Assignee: bugsquad => guillomovitch

Comment 2 Aurelien Oudelet 2021-03-08 20:29:16 CET
Mid-air collision ;)

CC: (none) => ouaurelien

Comment 3 Nicolas Lécureuil 2021-03-09 22:09:47 CET
fixed in mga7:

src:
    -  nagios-4.4.3-2.1.mga7

Status comment: Fixed upstream in 4.4.6 => (none)
CC: (none) => mageia
Assignee: guillomovitch => qa-bugs

Comment 4 David Walser 2021-03-10 00:35:21 CET
Advisory:
========================

Updated nagios packages fix security vulnerability:

Nagios 4.4.5 allows an attacker, who already has administrative access to
change the "URL for JSON CGIs" configuration setting, to modify the Alert
Histogram and Trends code via crafted versions of the archivejson.cgi,
objectjson.cgi, and statusjson.cgi files (CVE-2020-13977).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13977
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JUEIABR4Y6L5J5MZDFWU46ZWXMJO64U3/
========================

Updated packages in core/updates_testing:
========================
nagios-4.4.3-2.1.mga7
nagios-www-4.4.3-2.1.mga7
nagios-devel-4.4.3-2.1.mga7

from nagios-4.4.3-2.1.mga7.src.rpm
Comment 5 PC LX 2021-04-09 15:10:53 CEST
Installed and tested. Some configuration changes were needed to get it working.

I'm not giving it an OK and will let the packager decide if this is OK as is or if the configurations needs to be changed.

System: Mageia 7, x86_64, Intel CPU.


Install and setup procedure:

Step 1 - Installed packages nagios, nagios-www and all dependencies.



Step 2 - Change the configuration file "/etc/httpd/conf/sites.d/nagios.conf" to get HTTP authentication working. Changed file is next.

#########################################################
# Nagios Apache configuration

ScriptAlias /nagios/cgi-bin /usr/lib64/nagios/cgi

<Directory /usr/lib64/nagios/cgi>
    Options ExecCGI

    AuthType Basic
    AuthName "Restricted Content"
    AuthBasicProvider file
    AuthUserFile /etc/nagios/htpasswd
    Require valid-user

</Directory>

Alias /nagios /usr/share/nagios/www

<Directory /usr/share/nagios>

    AuthType Basic
    AuthName "Restricted Content"
    AuthBasicProvider file
    AuthUserFile /etc/nagios/htpasswd
    Require valid-user

</Directory>
#########################################################



Step 2 alternative - Disable nagios authentication but I strongly recommend against this. 

To disable authentication, change "use_authentication=1" to "use_authentication=0" in the file /etc/nagios/cgi.cfg.



Step 3 - Set http authentication password.

$ htpasswd /etc/nagios/htpasswd nagiosadmin
New password: 
Re-type new password:



Step 4 - Start httpd and nagios services.

$ systemctl start httpd nagios

Step 5 - Open in a browser the URL https://example.com/nagios/



$ uname -a
Linux marte 5.10.27-desktop-1.mga7 #1 SMP Wed Mar 31 00:16:43 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep nagios | sort
nagios-4.4.3-2.1.mga7
nagios-check_disk-2.2.1-4.mga7
nagios-check_http-2.2.1-4.mga7
nagios-check_load-2.2.1-4.mga7
nagios-check_ping-2.2.1-4.mga7
nagios-check_procs-2.2.1-4.mga7
nagios-check_ssh-2.2.1-4.mga7
nagios-check_swap-2.2.1-4.mga7
nagios-check_users-2.2.1-4.mga7
nagios-plugins-2.2.1-4.mga7
nagios-www-4.4.3-2.1.mga7
$ systemctl status nagios
● nagios.service - Nagios network monitor
   Loaded: loaded (/usr/lib/systemd/system/nagios.service; disabled; vendor preset: disabled)
   Active: active (running) since Fri 2021-04-09 13:41:27 WEST; 27min ago
  Process: 29681 ExecStart=/usr/sbin/nagios -d /etc/nagios/nagios.cfg (code=exited, status=0/SUCCESS)
 Main PID: 29682 (nagios)
    Tasks: 8 (limit: 4668)
   Memory: 16.2M
   CGroup: /system.slice/nagios.service
           ├─29682 /usr/sbin/nagios -d /etc/nagios/nagios.cfg
           ├─29683 /usr/sbin/nagios --worker /var/spool/nagios/nagios.qh
           ├─29684 /usr/sbin/nagios --worker /var/spool/nagios/nagios.qh
           ├─29685 /usr/sbin/nagios --worker /var/spool/nagios/nagios.qh
           ├─29686 /usr/sbin/nagios --worker /var/spool/nagios/nagios.qh
           ├─29687 /usr/sbin/nagios --worker /var/spool/nagios/nagios.qh
           ├─29688 /usr/sbin/nagios --worker /var/spool/nagios/nagios.qh
           └─29691 /usr/sbin/nagios -d /etc/nagios/nagios.cfg

abr 09 13:41:27 marte nagios[29682]: wproc: Registry request: name=Core Worker 29683;pid=29683
abr 09 13:41:27 marte nagios[29682]: wproc: Registry request: name=Core Worker 29686;pid=29686
abr 09 13:41:27 marte nagios[29682]: wproc: Registry request: name=Core Worker 29688;pid=29688
abr 09 13:41:27 marte nagios[29682]: wproc: Registry request: name=Core Worker 29685;pid=29685
abr 09 13:41:27 marte nagios[29682]: wproc: Registry request: name=Core Worker 29684;pid=29684
abr 09 13:41:27 marte nagios[29682]: wproc: Registry request: name=Core Worker 29687;pid=29687
abr 09 13:41:27 marte nagios[29682]: Successfully launched command file worker with pid 29691
abr 09 13:43:29 marte nagios[29682]: SERVICE ALERT: localhost;SSH;OK;HARD;4;SSH OK - OpenSSH_8.0 (protocol 2.0)
abr 09 13:44:32 marte nagios[29682]: EXTERNAL COMMAND: ENABLE_SVC_NOTIFICATIONS;localhost;HTTP
abr 09 13:44:50 marte nagios[29682]: EXTERNAL COMMAND: ENABLE_SVC_NOTIFICATIONS;localhost;SSH

CC: (none) => mageia

Comment 6 Thomas Andrews 2021-04-12 23:42:30 CEST
Nicolas?

Keywords: (none) => feedback
CC: (none) => andrewsfarm

Comment 7 PC LX 2021-05-08 14:22:44 CEST
Since people using this have already configured it to work and are currently using a vulnerable version, I think this update should be pushed even if it requires some configuration tinkering for new installations.
Comment 8 Thomas Andrews 2021-05-08 16:32:40 CEST
I decided to take another look at this myself, since it has been so long and there have been several updates to Mageia 7 since Comment 5.

Installed nagios, nagios-www, and dependencies in a Mageia 7 Vbox Plasma guest, then got the updates with qarepo. No installation issues.

Much has happened at Mageia since https://wiki.mageia.org/en/QA_procedure:Nagios was written in December 2012, making it rather dated and incomplete for a novice to follow. It really needs to be rewritten by someone who knows what he/she is doing.

I referenced Bug 24290 for a procedure that is more recent. In that bug I declared testing beyond a clean install to be beyond my capabilities, and it still is, but I was able to judiciously use copy-and-paste to follow at least part of Herman's procedure:

# systemctl  -l status httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2021-05-08 10:02:46 EDT; 9s ago
 Main PID: 11978 (httpd)
   Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec:   0 B/sec"
    Tasks: 6 (limit: 4702)
   Memory: 26.4M
   CGroup: /system.slice/httpd.service
           ├─11978 /usr/sbin/httpd -DFOREGROUND
           ├─11980 /usr/sbin/httpd -DFOREGROUND
           ├─11981 /usr/sbin/httpd -DFOREGROUND
           ├─11982 /usr/sbin/httpd -DFOREGROUND
           ├─11983 /usr/sbin/httpd -DFOREGROUND
           └─11984 /usr/sbin/httpd -DFOREGROUND

May 08 10:02:46 localhost systemd[1]: Starting The Apache HTTP Server...
May 08 10:02:46 localhost httpd[11978]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using ::1. Set the 'ServerName' directive globally to suppress >
May 08 10:02:46 localhost systemd[1]: Started The Apache HTTP Server.
~
[root@localhost ~]# systemctl  -l status nagios
● nagios.service - Nagios network monitor
   Loaded: loaded (/usr/lib/systemd/system/nagios.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
[root@localhost ~]# systemctl  -l start nagios
[root@localhost ~]# systemctl  -l status nagios
● nagios.service - Nagios network monitor
   Loaded: loaded (/usr/lib/systemd/system/nagios.service; disabled; vendor preset: disabled)
   Active: active (running) since Sat 2021-05-08 10:05:37 EDT; 16s ago
  Process: 13456 ExecStart=/usr/sbin/nagios -d /etc/nagios/nagios.cfg (code=exited, status=0/SUCCESS)
 Main PID: 13457 (nagios)
    Tasks: 6 (limit: 4702)
   Memory: 2.0M
   CGroup: /system.slice/nagios.service
           ├─13457 /usr/sbin/nagios -d /etc/nagios/nagios.cfg
           ├─13458 /usr/sbin/nagios --worker /var/spool/nagios/nagios.qh
           ├─13459 /usr/sbin/nagios --worker /var/spool/nagios/nagios.qh
           ├─13460 /usr/sbin/nagios --worker /var/spool/nagios/nagios.qh
           ├─13461 /usr/sbin/nagios --worker /var/spool/nagios/nagios.qh
           └─13463 /usr/sbin/nagios -d /etc/nagios/nagios.cfg

May 08 10:05:37 localhost nagios[13457]: qh: Socket '/var/spool/nagios/nagios.qh' successfully initialized
May 08 10:05:37 localhost nagios[13457]: qh: core query handler registered
May 08 10:05:37 localhost nagios[13457]: qh: echo service query handler registered
May 08 10:05:37 localhost nagios[13457]: qh: help for the query handler registered
May 08 10:05:37 localhost nagios[13457]: wproc: Successfully registered manager as @wproc with query handler
May 08 10:05:37 localhost nagios[13457]: wproc: Registry request: name=Core Worker 13459;pid=13459
May 08 10:05:37 localhost nagios[13457]: wproc: Registry request: name=Core Worker 13461;pid=13461
May 08 10:05:37 localhost nagios[13457]: wproc: Registry request: name=Core Worker 13460;pid=13460
May 08 10:05:37 localhost nagios[13457]: wproc: Registry request: name=Core Worker 13458;pid=13458
May 08 10:05:37 localhost nagios[13457]: Successfully launched command file worker with pid 13463

That was as far as I could get with my ability, but it shows that the nagios service is running, apparently without error. Coupling this with Comments 5 and 7, I'm going to let this one go.

Validating. Advisory in Comment 4.

CC: (none) => sysadmin-bugs
Keywords: feedback => validated_update
Whiteboard: (none) => MGA7-64-OK

Aurelien Oudelet 2021-05-10 10:57:48 CEST

CVE: (none) => CVE-2020-13977
Keywords: (none) => advisory

Comment 9 Mageia Robot 2021-05-12 11:58:01 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0209.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.