Bug 8799 - nagios new security issue CVE-2012-6096
: nagios new security issue CVE-2012-6096
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/533714/
: has_procedure mga2-64-ok MGA2-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-01-23 21:45 CET by David Walser
Modified: 2013-02-08 15:46 CET (History)
5 users (show)

See Also:
Source RPM: nagios-3.4.3-1.mga3.src.rpm
CVE:


Attachments

Description David Walser 2013-01-23 21:45:13 CET
Fedora has issued an advisory on January 14:
http://lists.fedoraproject.org/pipermail/package-announce/2013-January/097239.html

The issue is fixed upstream in 3.4.4.

Mageia 2 is also likely to be affected.
Comment 1 David Walser 2013-01-24 19:51:22 CET
OpenSuSE has issued an advisory for this on January 23:
http://lists.opensuse.org/opensuse-updates/2013-01/msg00033.html

They have a patch for 3.3.1 (the version we have in Mageia 2).
Comment 2 David Walser 2013-01-28 00:48:47 CET
Fixed in Cauldron by Guillaume.
Comment 3 Guillaume Rousse 2013-01-29 21:11:38 CET
The Suse patch seems to be wrong, it just replace sprintf with snprintf without size argument...

I just submitted nagios-3.3.1-2.2.mga2 to core_updates/testing.

The same advisory as Fedora can be used:
Nagios Core's history.cgi is vulnerable to a buffer overflow because it used sprintf on user-supplied data that was not restricted in size (CVE-2012-6096).

Due to various protections of the operating system (history.cgi is compiled with SSP, FORTIFY_SOURCE is enabled, etc.) this is not believed to be exploitable and would result in a denial of service to the user sending the input to history.cgi.
Comment 4 David Walser 2013-01-29 21:17:27 CET
Thanks Guillaume!

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6096
http://lists.fedoraproject.org/pipermail/package-announce/2013-January/097239.html

RPMs:
nagios-3.3.1-2.2.mga2
nagios-www-3.3.1-2.2.mga2
nagios-theme-default-3.3.1-2.2.mga2
nagios-devel-3.3.1-2.2.mga2
Comment 5 David Walser 2013-01-31 22:40:39 CET
*** Bug 8653 has been marked as a duplicate of this bug. ***
Comment 6 claire robinson 2013-02-03 16:59:08 CET
PoC: http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0108.html

" An example url that results in an overflow (and segfault):
http://nagiosserver/nagios/cgi-bin/history.cgi?host=aaaaaaa... (4000 'a's) "
Comment 7 David Walser 2013-02-05 20:54:57 CET
Patch checked into Mageia 1 SVN.
Comment 8 claire robinson 2013-02-06 16:35:44 CET
One liner to create the link

echo -e "http://nagiosserver/nagios/cgi-bin/history.cgi?host="$(perl -e 'print "a" x 4000,"\n"') > nagioslink
Comment 9 claire robinson 2013-02-06 18:20:52 CET
Testing mga2 64

After install, start nagios service.

No default user is configured so browsing to http://localhost/nagios you are prevented from using many of the options and at the top it shows 'Logged in as ?'

Without setting up htaccess, which I believe is the way to authenticate, for the purposes of testing I edited /etc/nagios/cgi.cfg and uncommented default_user_name and changed the user from guest to nagios.

Restarting httpd and browsing again it now shows 'Logged in as nagios' and stuff works.

There is no explanation of how this is packaged so it's not really very user friendly.

Nagios is configured to use certain plugins by default which are not installed by default so generates alot of warnings in syslog.

Total Processes, Current Load, Current Users, HTTP, PING, SSH, Swap Usage, host

All give warnings similar to this..

nagios: Warning: Return code of 127 for check of service 'Swap Usage' on host 'localhost' was out of bounds. Make sure the plugin you're trying to run actually exists.

I do have nagios-plugins installed.
# rpm -q nagios-plugins
nagios-plugins-1.4.15-9.mga2

Installing eg. nagios-check_ssh causes it to restart the nagios daemon which then fails to restart.

nagios[17462]: Warning: Duplicate definition found for command 'check_ssh' (config file '/etc/nagios/plugins.d/check_ssh.cfg', starting on line 3)

Same for others i tried such as nagios-check_http

nagios: Warning: Duplicate definition found for command 'check_http' (config file '/etc/nagios/plugins.d/check_http.cfg', starting on line 3)
nagios: Error: Could not add object property in file '/etc/nagios/plugins.d/check_http.cfg' on line 4.

Testing the CVE

Created a link with echo -e "http://localhost/nagios/cgi-bin/history.cgi?host="$(perl -e 'print "a" x 4000,"\n"') > nagioslink

Pasting the link into a browser doesn't cause any crash, it tries to view the host.

After update, all the same.


Unless I'm doing something badly wrong, nagios is in a bit of a state but there are no regressions after the update.
Comment 10 Dave Hodgins 2013-02-07 03:09:15 CET
Before installing the update, I installed task-nagios, set
use_authentication=0 in /etc/nagios/cgi.cfg, and restarted httpd.

Going to http://localhost/nagios/, it shows ...
Error: Could not read object configuration data!

Running nagios -v /etc/nagios/nagios.cfg shows ...
Warning: Duplicate definition found for command 'check_ping' (config file '/etc/nagios/plugins.d/check_ping.cfg', starting on line 3)
Error: Could not add object property in file '/etc/nagios/plugins.d/check_ping.cfg' on line 4.
   Error processing object config files!

I had to remove the following files to get the -v option to not show errors.
-rw-r--r-- 1 root root  456 Mar 29  2012 check_dhcp.cfg
-rw-r--r-- 1 root root  211 Mar 29  2012 check_hpjd.cfg
-rw-r--r-- 1 root root 2403 Mar 29  2012 check_http.cfg
-rw-r--r-- 1 root root  253 Mar 29  2012 check_nt.cfg
-rw-r--r-- 1 root root 2210 Mar 29  2012 check_ping.cfg
-rw-r--r-- 1 root root  201 Mar 29  2012 check_smtp.cfg
-rw-r--r-- 1 root root  460 Mar 29  2012 check_ssh.cfg
-rw-r--r-- 1 root root 3607 Mar 29  2012 check_tcp.cfg

Even after removing those files, and restarting httpd, any nagios link other
then home or documentation still shows
Error: Could not read object configuration data!

Suggestions?
Comment 11 claire robinson 2013-02-07 14:11:43 CET
I set default_user_name to nagios instead Dave and found it solved that.

The errors, I found too. I'll create some more bugs..

It may be due to the existence of /etc/nagios/plugins.d/nagios-plugins.cfg_do_not_use in the nagios-plugins package but I'd had enough of trying to make it work by then to test any further.
Comment 12 claire robinson 2013-02-07 14:59:37 CET
Created new bugs. They are likely all symptoms of the same problem.

Bug 8985 -  nagios-check_* packages cause nagios to fail to start with errors eg Error: Could not add object property in file '/etc/nagios/plugins.d/check_ping.cfg' on line 4.

Bug 8986 - nagios generates lots of warnings in syslog eg. Return code of 127 for check of service 'Swap Usage' on host 'localhost' was out of bounds. Make sure the plugin you're trying to run actually exists.

Bug 8987 - Nagios fails to gather service data - (Return code of 127 is out of bounds - plugin may be missing)
Comment 13 Dave Hodgins 2013-02-07 20:40:18 CET
Thanks Claire. Turning auth back on, and setting the default user fixed
the problem.

Testing complete on Mageia 2 i586.

Could someone from the sysadmin team push the srpm
nagios-3.3.1-2.2.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Nagios update corrects a buffer overflow problem that
could be used for a denial of service attack, with application crashes.  

https://bugs.mageia.org/show_bug.cgi?id=8799
Comment 14 David Walser 2013-02-07 20:54:04 CET
Guillaume gave a suggested advisory in Comment 3:

Nagios Core's history.cgi is vulnerable to a buffer overflow because it used
sprintf on user-supplied data that was not restricted in size (CVE-2012-6096).

Due to various protections of the operating system (history.cgi is compiled
with SSP, FORTIFY_SOURCE is enabled, etc.) this is not believed to be
exploitable and would result in a denial of service to the user sending the
input to history.cgi.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6096
http://lists.fedoraproject.org/pipermail/package-announce/2013-January/097239.html
Comment 15 Thomas Backlund 2013-02-08 15:46:33 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0039

Note You need to log in before you can comment on or make changes to this bug.