Bug 508646 (CVE-2009-2288)
Summary: | CVE-2009-2288 nagios: remote code execution via statuswml.cgi CGI script | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | linux, mmcgrath, ocs2, plautrba, sebastian.gosenheimer, srevivo, wtogami |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-06-10 22:30:30 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 508649 | ||
Bug Blocks: |
Description
Tomas Hoger
2009-06-29 10:17:20 UTC
Access control defaults for nagios packages: Fedora: - By default, access to nagios web pages is only allowed for localhost. - Additionally, access to pages is protected by HTTP authentication. There's no user created by default. - Note: it seems that during nagios2 -> nagios3 transition, an attempt was made to provide default user/password (nagiosadmin:nagiosadmin) in .htpasswd file: http://cvs.fedoraproject.org/viewvc/rpms/nagios/devel/nagios.spec?r1=1.49&r2=1.50 However, /etc/httpd/conf.d/nagios.conf file has not been updated and still references (non-existent) /etc/nagios/passwd file and not newly added /etc/nagios/.htpasswd file. Please correct me if I'm missing something here. I'm also not sure if there's a good reason to use .ht as file name prefix (file is not in web server's docroot). Red Hat HPC Solution: - Based on Fedora 2.x Fedora packages, so nagios package by default only allow access from localhost and requires authentication. - However, kusu-nagios-config overwrites httpd/conf.d/nagios.conf file in its postinst script to allow access from any host by default and creates user with fixed default password (admin:admin). This default user name and password is documented in HPC installation guide, but it seems to lack instructions on how to change this default. http://www.redhat.com/docs/en-US/hpc/ CVE-2009-2288: statuswml.cgi in Nagios before 3.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) ping or (2) Traceroute parameters. This issue has been addressed in following products: Red Hat HPC Solution for RHEL 5 Via RHSA-2009:1141 https://rhn.redhat.com/errata/RHSA-2009-1141.html nagios-2.12-6.el4 has been submitted as an update for Fedora EPEL 4. http://admin.fedoraproject.org/updates/nagios-2.12-6.el4 nagios-2.12-6.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/nagios-2.12-6.el5 nagios-2.12-6.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. nagios-2.12-6.el4 has been pushed to the Fedora EPEL 4 stable repository. If problems still persist, please make note of it in this bug report. |