Bug 28557 - nagios new security issue CVE-2020-13977
Summary: nagios new security issue CVE-2020-13977
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords: feedback
Depends on:
Blocks:
 
Reported: 2021-03-08 18:03 CET by David Walser
Modified: 2021-04-12 23:42 CEST (History)
4 users (show)

See Also:
Source RPM: nagios-4.4.3-2.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2021-03-08 18:03:28 CET
Fedora has issued an advisory on March 7:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JUEIABR4Y6L5J5MZDFWU46ZWXMJO64U3/

The issue is fixed upstream in 4.4.6.
David Walser 2021-03-08 18:03:41 CET

Status comment: (none) => Fixed upstream in 4.4.6

Comment 1 Lewis Smith 2021-03-08 20:27:40 CET
M8 already has nagios-4.4.6-2.mga8.src.rpm.

Seems best to assign this to Guillaume, its maintainer.

Assignee: bugsquad => guillomovitch

Comment 2 Aurelien Oudelet 2021-03-08 20:29:16 CET
Mid-air collision ;)

CC: (none) => ouaurelien

Comment 3 Nicolas Lécureuil 2021-03-09 22:09:47 CET
fixed in mga7:

src:
    -  nagios-4.4.3-2.1.mga7

CC: (none) => mageia
Assignee: guillomovitch => qa-bugs
Status comment: Fixed upstream in 4.4.6 => (none)

Comment 4 David Walser 2021-03-10 00:35:21 CET
Advisory:
========================

Updated nagios packages fix security vulnerability:

Nagios 4.4.5 allows an attacker, who already has administrative access to
change the "URL for JSON CGIs" configuration setting, to modify the Alert
Histogram and Trends code via crafted versions of the archivejson.cgi,
objectjson.cgi, and statusjson.cgi files (CVE-2020-13977).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13977
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JUEIABR4Y6L5J5MZDFWU46ZWXMJO64U3/
========================

Updated packages in core/updates_testing:
========================
nagios-4.4.3-2.1.mga7
nagios-www-4.4.3-2.1.mga7
nagios-devel-4.4.3-2.1.mga7

from nagios-4.4.3-2.1.mga7.src.rpm
Comment 5 PC LX 2021-04-09 15:10:53 CEST
Installed and tested. Some configuration changes were needed to get it working.

I'm not giving it an OK and will let the packager decide if this is OK as is or if the configurations needs to be changed.

System: Mageia 7, x86_64, Intel CPU.


Install and setup procedure:

Step 1 - Installed packages nagios, nagios-www and all dependencies.



Step 2 - Change the configuration file "/etc/httpd/conf/sites.d/nagios.conf" to get HTTP authentication working. Changed file is next.

#########################################################
# Nagios Apache configuration

ScriptAlias /nagios/cgi-bin /usr/lib64/nagios/cgi

<Directory /usr/lib64/nagios/cgi>
    Options ExecCGI

    AuthType Basic
    AuthName "Restricted Content"
    AuthBasicProvider file
    AuthUserFile /etc/nagios/htpasswd
    Require valid-user

</Directory>

Alias /nagios /usr/share/nagios/www

<Directory /usr/share/nagios>

    AuthType Basic
    AuthName "Restricted Content"
    AuthBasicProvider file
    AuthUserFile /etc/nagios/htpasswd
    Require valid-user

</Directory>
#########################################################



Step 2 alternative - Disable nagios authentication but I strongly recommend against this. 

To disable authentication, change "use_authentication=1" to "use_authentication=0" in the file /etc/nagios/cgi.cfg.



Step 3 - Set http authentication password.

$ htpasswd /etc/nagios/htpasswd nagiosadmin
New password: 
Re-type new password:



Step 4 - Start httpd and nagios services.

$ systemctl start httpd nagios

Step 5 - Open in a browser the URL https://example.com/nagios/



$ uname -a
Linux marte 5.10.27-desktop-1.mga7 #1 SMP Wed Mar 31 00:16:43 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep nagios | sort
nagios-4.4.3-2.1.mga7
nagios-check_disk-2.2.1-4.mga7
nagios-check_http-2.2.1-4.mga7
nagios-check_load-2.2.1-4.mga7
nagios-check_ping-2.2.1-4.mga7
nagios-check_procs-2.2.1-4.mga7
nagios-check_ssh-2.2.1-4.mga7
nagios-check_swap-2.2.1-4.mga7
nagios-check_users-2.2.1-4.mga7
nagios-plugins-2.2.1-4.mga7
nagios-www-4.4.3-2.1.mga7
$ systemctl status nagios
● nagios.service - Nagios network monitor
   Loaded: loaded (/usr/lib/systemd/system/nagios.service; disabled; vendor preset: disabled)
   Active: active (running) since Fri 2021-04-09 13:41:27 WEST; 27min ago
  Process: 29681 ExecStart=/usr/sbin/nagios -d /etc/nagios/nagios.cfg (code=exited, status=0/SUCCESS)
 Main PID: 29682 (nagios)
    Tasks: 8 (limit: 4668)
   Memory: 16.2M
   CGroup: /system.slice/nagios.service
           ├─29682 /usr/sbin/nagios -d /etc/nagios/nagios.cfg
           ├─29683 /usr/sbin/nagios --worker /var/spool/nagios/nagios.qh
           ├─29684 /usr/sbin/nagios --worker /var/spool/nagios/nagios.qh
           ├─29685 /usr/sbin/nagios --worker /var/spool/nagios/nagios.qh
           ├─29686 /usr/sbin/nagios --worker /var/spool/nagios/nagios.qh
           ├─29687 /usr/sbin/nagios --worker /var/spool/nagios/nagios.qh
           ├─29688 /usr/sbin/nagios --worker /var/spool/nagios/nagios.qh
           └─29691 /usr/sbin/nagios -d /etc/nagios/nagios.cfg

abr 09 13:41:27 marte nagios[29682]: wproc: Registry request: name=Core Worker 29683;pid=29683
abr 09 13:41:27 marte nagios[29682]: wproc: Registry request: name=Core Worker 29686;pid=29686
abr 09 13:41:27 marte nagios[29682]: wproc: Registry request: name=Core Worker 29688;pid=29688
abr 09 13:41:27 marte nagios[29682]: wproc: Registry request: name=Core Worker 29685;pid=29685
abr 09 13:41:27 marte nagios[29682]: wproc: Registry request: name=Core Worker 29684;pid=29684
abr 09 13:41:27 marte nagios[29682]: wproc: Registry request: name=Core Worker 29687;pid=29687
abr 09 13:41:27 marte nagios[29682]: Successfully launched command file worker with pid 29691
abr 09 13:43:29 marte nagios[29682]: SERVICE ALERT: localhost;SSH;OK;HARD;4;SSH OK - OpenSSH_8.0 (protocol 2.0)
abr 09 13:44:32 marte nagios[29682]: EXTERNAL COMMAND: ENABLE_SVC_NOTIFICATIONS;localhost;HTTP
abr 09 13:44:50 marte nagios[29682]: EXTERNAL COMMAND: ENABLE_SVC_NOTIFICATIONS;localhost;SSH

CC: (none) => mageia

Comment 6 Thomas Andrews 2021-04-12 23:42:30 CEST
Nicolas?

CC: (none) => andrewsfarm
Keywords: (none) => feedback


Note You need to log in before you can comment on or make changes to this bug.