Bug 1098531 (CVE-2014-4701, CVE-2014-4703)

Summary: CVE-2014-4701 CVE-2014-4703 nagios-plugins: check_dhcp Arbitrary Option File Read
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abaron, apevec, carnil, chrisw, dallan, gkotton, gmollett, jose.p.oliveira.oss, jrusnack, jwboyer, lhh, linux, markmc, mmagr, ondrejj, rbryant, sclewis, srevivo, s
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nagios-plugins 2.0.3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-22 02:08:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1098548, 1098549    
Bug Blocks: 1114439    

Description Vasyl Kaigorodov 2014-05-16 13:13:35 UTC 
It was reported [1] that check_dhcp plugin allow local unprivileged user to read parts of INI
config files belonging to root on a local system. It could allow an attacker to obtain sensitive information like passwords that should only be accessible by root user.
The vulnerability is due to check_dhcp plugin having Root SUID permissions and inappropriate access control when reading user provided config file (through --extra-opts= option).

References:

  [1]: http://seclists.org/fulldisclosure/2014/May/74
Comment 1 Vasyl Kaigorodov 2014-05-16 14:11:49 UTC 
Created nagios-plugins tracking bugs for this issue:

Affects: fedora-all [bug 1098548]
Affects: epel-all [bug 1098549]
Comment 2 Murray McAllister 2014-06-30 06:06:53 UTC 
This was fixed in version 2.0.2; however, a race condition was discovered that, even with the patch, allowed root owned files to be read:

http://seclists.org/fulldisclosure/2014/Jun/141

Version 2.0.3 corrects this race condition:

http://nagios-plugins.org/nagios-plugins-2-0-3-released/
Comment 3 Murray McAllister 2014-06-30 06:25:55 UTC 
CVE request for the original issue and the later race condition issue:

http://www.openwall.com/lists/oss-security/2014/06/30/3
Comment 4 Murray McAllister 2014-07-01 06:34:00 UTC 
MITRE assigned CVE-2014-4701 to the original check_dhcp report:

http://seclists.org/fulldisclosure/2014/May/74

MITRE assigned CVE-2014-4703 to the race condition in check_dhcp:

http://seclists.org/fulldisclosure/2014/Jun/141
Comment 5 Garth Mollett 2014-07-18 06:08:34 UTC 
Statement:

This issue did not affect the versions of nagios-plugins as shipped with Red Hat Enterprise Linux OpenStack Platform.
Comment 6 Fedora Update System 2015-08-18 05:14:09 UTC 
nagios-plugins-2.0.3-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2015-08-18 05:22:05 UTC 
nagios-plugins-2.0.3-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2015-08-18 05:27:57 UTC 
nagios-plugins-2.0.3-1.fc23 has been pushed to the Fedora 23 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2015-08-22 19:25:05 UTC 
nagios-plugins-2.0.3-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2015-08-23 03:00:12 UTC 
nagios-plugins-2.0.3-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.