Fedora has issued an advisory on January 14:
The issue is fixed upstream in 3.4.4.
Mageia 2 is also likely to be affected.
OpenSuSE has issued an advisory for this on January 23:
They have a patch for 3.3.1 (the version we have in Mageia 2).
Fixed in Cauldron by Guillaume.
The Suse patch seems to be wrong, it just replace sprintf with snprintf without size argument...
I just submitted nagios-3.3.1-2.2.mga2 to core_updates/testing.
The same advisory as Fedora can be used:
Nagios Core's history.cgi is vulnerable to a buffer overflow because it used sprintf on user-supplied data that was not restricted in size (CVE-2012-6096).
Due to various protections of the operating system (history.cgi is compiled with SSP, FORTIFY_SOURCE is enabled, etc.) this is not believed to be exploitable and would result in a denial of service to the user sending the input to history.cgi.
*** Bug 8653 has been marked as a duplicate of this bug. ***
" An example url that results in an overflow (and segfault):
http://nagiosserver/nagios/cgi-bin/history.cgi?host=aaaaaaa... (4000 'a's) "
Patch checked into Mageia 1 SVN.
One liner to create the link
echo -e "http://nagiosserver/nagios/cgi-bin/history.cgi?host="$(perl -e 'print "a" x 4000,"\n"') > nagioslink
Testing mga2 64
After install, start nagios service.
No default user is configured so browsing to http://localhost/nagios you are prevented from using many of the options and at the top it shows 'Logged in as ?'
Without setting up htaccess, which I believe is the way to authenticate, for the purposes of testing I edited /etc/nagios/cgi.cfg and uncommented default_user_name and changed the user from guest to nagios.
Restarting httpd and browsing again it now shows 'Logged in as nagios' and stuff works.
There is no explanation of how this is packaged so it's not really very user friendly.
Nagios is configured to use certain plugins by default which are not installed by default so generates alot of warnings in syslog.
Total Processes, Current Load, Current Users, HTTP, PING, SSH, Swap Usage, host
All give warnings similar to this..
nagios: Warning: Return code of 127 for check of service 'Swap Usage' on host 'localhost' was out of bounds. Make sure the plugin you're trying to run actually exists.
I do have nagios-plugins installed.
# rpm -q nagios-plugins
Installing eg. nagios-check_ssh causes it to restart the nagios daemon which then fails to restart.
nagios: Warning: Duplicate definition found for command 'check_ssh' (config file '/etc/nagios/plugins.d/check_ssh.cfg', starting on line 3)
Same for others i tried such as nagios-check_http
nagios: Warning: Duplicate definition found for command 'check_http' (config file '/etc/nagios/plugins.d/check_http.cfg', starting on line 3)
nagios: Error: Could not add object property in file '/etc/nagios/plugins.d/check_http.cfg' on line 4.
Testing the CVE
Created a link with echo -e "http://localhost/nagios/cgi-bin/history.cgi?host="$(perl -e 'print "a" x 4000,"\n"') > nagioslink
Pasting the link into a browser doesn't cause any crash, it tries to view the host.
After update, all the same.
Unless I'm doing something badly wrong, nagios is in a bit of a state but there are no regressions after the update.
Before installing the update, I installed task-nagios, set
use_authentication=0 in /etc/nagios/cgi.cfg, and restarted httpd.
Going to http://localhost/nagios/, it shows ...
Error: Could not read object configuration data!
Running nagios -v /etc/nagios/nagios.cfg shows ...
Warning: Duplicate definition found for command 'check_ping' (config file '/etc/nagios/plugins.d/check_ping.cfg', starting on line 3)
Error: Could not add object property in file '/etc/nagios/plugins.d/check_ping.cfg' on line 4.
Error processing object config files!
I had to remove the following files to get the -v option to not show errors.
-rw-r--r-- 1 root root 456 Mar 29 2012 check_dhcp.cfg
-rw-r--r-- 1 root root 211 Mar 29 2012 check_hpjd.cfg
-rw-r--r-- 1 root root 2403 Mar 29 2012 check_http.cfg
-rw-r--r-- 1 root root 253 Mar 29 2012 check_nt.cfg
-rw-r--r-- 1 root root 2210 Mar 29 2012 check_ping.cfg
-rw-r--r-- 1 root root 201 Mar 29 2012 check_smtp.cfg
-rw-r--r-- 1 root root 460 Mar 29 2012 check_ssh.cfg
-rw-r--r-- 1 root root 3607 Mar 29 2012 check_tcp.cfg
Even after removing those files, and restarting httpd, any nagios link other
then home or documentation still shows
Error: Could not read object configuration data!
I set default_user_name to nagios instead Dave and found it solved that.
The errors, I found too. I'll create some more bugs..
It may be due to the existence of /etc/nagios/plugins.d/nagios-plugins.cfg_do_not_use in the nagios-plugins package but I'd had enough of trying to make it work by then to test any further.
Created new bugs. They are likely all symptoms of the same problem.
Bug 8985 - nagios-check_* packages cause nagios to fail to start with errors eg Error: Could not add object property in file '/etc/nagios/plugins.d/check_ping.cfg' on line 4.
Bug 8986 - nagios generates lots of warnings in syslog eg. Return code of 127 for check of service 'Swap Usage' on host 'localhost' was out of bounds. Make sure the plugin you're trying to run actually exists.
Bug 8987 - Nagios fails to gather service data - (Return code of 127 is out of bounds - plugin may be missing)
Thanks Claire. Turning auth back on, and setting the default user fixed
Testing complete on Mageia 2 i586.
Could someone from the sysadmin team push the srpm
from Mageia 2 Core Updates Testing to Core Updates.
Advisory: Nagios update corrects a buffer overflow problem that
could be used for a denial of service attack, with application crashes.
has_procedure mga2-64-ok =>
has_procedure mga2-64-ok MGA2-32-OK
Guillaume gave a suggested advisory in Comment 3:
Nagios Core's history.cgi is vulnerable to a buffer overflow because it used
sprintf on user-supplied data that was not restricted in size (CVE-2012-6096).
Due to various protections of the operating system (history.cgi is compiled
with SSP, FORTIFY_SOURCE is enabled, etc.) this is not believed to be
exploitable and would result in a denial of service to the user sending the
input to history.cgi.