Bug 508646 (CVE-2009-2288)

Summary: CVE-2009-2288 nagios: remote code execution via statuswml.cgi CGI script
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: mail, mmcgrath, ocs2, plautrba, sebastian.gosenheimer, srevivo, wtogami
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,source=gentoo,reported=20090627,public=20090618,cvss2=6.5/AV:N/AC:L/Au:S/C:P/I:P/A:P
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-10 22:30:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 508649    
Bug Blocks:    

Description Tomas Hoger 2009-06-29 10:17:20 UTC
A remote shell code injection flaw was found in statuswml.cgi script in nagios.  A remote attacker able to access nagios web pages (usually protected by HTTP authentication) can run arbitrary commands with CGI script's (i.e. web server) privileges.

Upstream bug with additional details:
http://tracker.nagios.org/view.php?id=15

Upstream commit:
http://nagios.cvs.sourceforge.net/viewvc/nagios/nagios/cgi/statuswml.c?r1=1.27&r2=1.28

Upstream test case:
http://nagios.cvs.sourceforge.net/viewvc/nagios/nagios/t/617statuswml.t

Comment 1 Tomas Hoger 2009-06-29 10:34:45 UTC
Access control defaults for nagios packages:

Fedora:
- By default, access to nagios web pages is only allowed for localhost.
- Additionally, access to pages is protected by HTTP authentication.  There's no user created by default.
- Note: it seems that during nagios2 -> nagios3 transition, an attempt was made to provide default user/password (nagiosadmin:nagiosadmin) in .htpasswd file:

http://cvs.fedoraproject.org/viewvc/rpms/nagios/devel/nagios.spec?r1=1.49&r2=1.50

However, /etc/httpd/conf.d/nagios.conf file has not been updated and still references (non-existent) /etc/nagios/passwd file and not newly added /etc/nagios/.htpasswd file.  Please correct me if I'm missing something here.  I'm also not sure if there's a good reason to use .ht as file name prefix (file is not in web server's docroot).


Red Hat HPC Solution:
- Based on Fedora 2.x Fedora packages, so nagios package by default only allow access from localhost and requires authentication.
- However, kusu-nagios-config overwrites httpd/conf.d/nagios.conf file in its postinst script to allow access from any host by default and creates user with fixed default password (admin:admin).  This default user name and password is documented in HPC installation guide, but it seems to lack instructions on how to change this default.

http://www.redhat.com/docs/en-US/hpc/

Comment 4 Tomas Hoger 2009-07-01 12:09:00 UTC
CVE-2009-2288:
statuswml.cgi in Nagios before 3.1.1 allows remote attackers to
execute arbitrary commands via shell metacharacters in the (1) ping or
(2) Traceroute parameters.

Comment 6 errata-xmlrpc 2009-07-02 20:29:44 UTC
This issue has been addressed in following products:

  Red Hat HPC Solution for RHEL 5

Via RHSA-2009:1141 https://rhn.redhat.com/errata/RHSA-2009-1141.html

Comment 7 Fedora Update System 2009-07-07 14:49:03 UTC
nagios-2.12-6.el4 has been submitted as an update for Fedora EPEL 4.
http://admin.fedoraproject.org/updates/nagios-2.12-6.el4

Comment 8 Fedora Update System 2009-07-07 14:49:10 UTC
nagios-2.12-6.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/nagios-2.12-6.el5

Comment 9 Fedora Update System 2009-07-09 05:42:13 UTC
nagios-2.12-6.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2009-07-09 05:42:23 UTC
nagios-2.12-6.el4 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.