Bug 508646 (CVE-2009-2288)

Summary: CVE-2009-2288 nagios: remote code execution via statuswml.cgi CGI script
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: mail, mmcgrath, ocs2, plautrba, sebastian.gosenheimer, srevivo, wtogami
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,source=gentoo,reported=20090627,public=20090618,cvss2=6.5/AV:N/AC:L/Au:S/C:P/I:P/A:P
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-10 22:30:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 508649    
Bug Blocks:    

Description Tomas Hoger 2009-06-29 10:17:20 UTC
A remote shell code injection flaw was found in statuswml.cgi script in nagios.  A remote attacker able to access nagios web pages (usually protected by HTTP authentication) can run arbitrary commands with CGI script's (i.e. web server) privileges.

Upstream bug with additional details:

Upstream commit:

Upstream test case:

Comment 1 Tomas Hoger 2009-06-29 10:34:45 UTC
Access control defaults for nagios packages:

- By default, access to nagios web pages is only allowed for localhost.
- Additionally, access to pages is protected by HTTP authentication.  There's no user created by default.
- Note: it seems that during nagios2 -> nagios3 transition, an attempt was made to provide default user/password (nagiosadmin:nagiosadmin) in .htpasswd file:


However, /etc/httpd/conf.d/nagios.conf file has not been updated and still references (non-existent) /etc/nagios/passwd file and not newly added /etc/nagios/.htpasswd file.  Please correct me if I'm missing something here.  I'm also not sure if there's a good reason to use .ht as file name prefix (file is not in web server's docroot).

Red Hat HPC Solution:
- Based on Fedora 2.x Fedora packages, so nagios package by default only allow access from localhost and requires authentication.
- However, kusu-nagios-config overwrites httpd/conf.d/nagios.conf file in its postinst script to allow access from any host by default and creates user with fixed default password (admin:admin).  This default user name and password is documented in HPC installation guide, but it seems to lack instructions on how to change this default.


Comment 4 Tomas Hoger 2009-07-01 12:09:00 UTC
statuswml.cgi in Nagios before 3.1.1 allows remote attackers to
execute arbitrary commands via shell metacharacters in the (1) ping or
(2) Traceroute parameters.

Comment 6 errata-xmlrpc 2009-07-02 20:29:44 UTC
This issue has been addressed in following products:

  Red Hat HPC Solution for RHEL 5

Via RHSA-2009:1141 https://rhn.redhat.com/errata/RHSA-2009-1141.html

Comment 7 Fedora Update System 2009-07-07 14:49:03 UTC
nagios-2.12-6.el4 has been submitted as an update for Fedora EPEL 4.

Comment 8 Fedora Update System 2009-07-07 14:49:10 UTC
nagios-2.12-6.el5 has been submitted as an update for Fedora EPEL 5.

Comment 9 Fedora Update System 2009-07-09 05:42:13 UTC
nagios-2.12-6.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2009-07-09 05:42:23 UTC
nagios-2.12-6.el4 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.