Bug 470842 (CVE-2008-5028)

Summary: CVE-2008-5028 nagios: CSRF vulnerability in cmd.cgi
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: j.golderer, linux, mmcgrath, mschoene, nphilipp, ocs2, sebastian.gosenheimer, shawn.starr, vdanen, wtogami
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5028
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-27 08:44:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 471019    
Bug Blocks:    
Attachments:
Description Flags
Ubuntu patch to fix CVE-2008-5028 none

Description Tomas Hoger 2008-11-10 16:12:53 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-5028 to the following vulnerability:

Cross-site request forgery (CSRF) vulnerability in cmd.cgi in (1)
Nagios 3.0.5 and (2) op5 Monitor before 4.0.1 allows remote attackers
to send commands to the Nagios process, and trigger execution of
arbitrary programs by this process, via unspecified HTTP requests.

References:
http://sourceforge.net/mailarchive/forum.php?thread_name=4914396D.5010009%40op5.se&forum_name=nagios-devel
http://www.openwall.com/lists/oss-security/2008/11/06/2
http://git.op5.org/git/?p=nagios.git;a=commit;h=814d8d4d1a73f7151eeed187c0667585d79fea18
http://www.op5.com/support/news/389-important-security-fix-available-for-op5-monitor
http://secunia.com/advisories/32610
http://xforce.iss.net/xforce/xfdb/46426
Comment 1 Marc Schoenefeld 2008-11-11 10:47:47 UTC 
from http://www.openwall.com/lists/oss-security/2008/11/11/9: 

Date: Tue, 11 Nov 2008 11:36:00 +0100
From: Andreas Ericsson <ae@....se>
To: "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE request: Nagios (two issues)

[...] 

Actually, the CSRF issue is still in Nagios 3.0.5, but can no longer
trigger execution of arbitrary programs by the Nagios process. Its
impact is thereby reduced to disabling monitoring of the network and
similar actions that can validly be requested from the Nagios process
through the GUI.

The problem is not present in op5 Monitor 4.0.1. A tar-ball containing
the fix is available at http://www.op5.org/src/nagios-3.0.5p1.tar.gz.

Thanks.

-- 
Andreas Ericsson                   andreas.ericsson@....se
OP5 AB                             www.op5.se
Tel: +46 8-230225                  Fax: +46 8-230231
Comment 4 Vincent Danen 2009-03-23 21:44:32 UTC 
Created attachment 336395 [details]
Ubuntu patch to fix CVE-2008-5028

Patch to correct the issue, taken from Ubuntu (http://www.ubuntu.com/usn/USN-698-3)