Bug 508646 (CVE-2009-2288) - CVE-2009-2288 nagios: remote code execution via statuswml.cgi CGI script
Summary: CVE-2009-2288 nagios: remote code execution via statuswml.cgi CGI script
Status: CLOSED ERRATA
Alias: CVE-2009-2288
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,source=gentoo,report...
Keywords: Security
Depends On: 508649
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-06-29 10:17 UTC by Tomas Hoger
Modified: 2019-06-08 12:46 UTC (History)
7 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2016-06-10 22:30:30 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1141 normal SHIPPED_LIVE Important: nagios security update 2009-07-02 20:29:36 UTC

Description Tomas Hoger 2009-06-29 10:17:20 UTC
A remote shell code injection flaw was found in statuswml.cgi script in nagios.  A remote attacker able to access nagios web pages (usually protected by HTTP authentication) can run arbitrary commands with CGI script's (i.e. web server) privileges.

Upstream bug with additional details:
http://tracker.nagios.org/view.php?id=15

Upstream commit:
http://nagios.cvs.sourceforge.net/viewvc/nagios/nagios/cgi/statuswml.c?r1=1.27&r2=1.28

Upstream test case:
http://nagios.cvs.sourceforge.net/viewvc/nagios/nagios/t/617statuswml.t

Comment 1 Tomas Hoger 2009-06-29 10:34:45 UTC
Access control defaults for nagios packages:

Fedora:
- By default, access to nagios web pages is only allowed for localhost.
- Additionally, access to pages is protected by HTTP authentication.  There's no user created by default.
- Note: it seems that during nagios2 -> nagios3 transition, an attempt was made to provide default user/password (nagiosadmin:nagiosadmin) in .htpasswd file:

http://cvs.fedoraproject.org/viewvc/rpms/nagios/devel/nagios.spec?r1=1.49&r2=1.50

However, /etc/httpd/conf.d/nagios.conf file has not been updated and still references (non-existent) /etc/nagios/passwd file and not newly added /etc/nagios/.htpasswd file.  Please correct me if I'm missing something here.  I'm also not sure if there's a good reason to use .ht as file name prefix (file is not in web server's docroot).


Red Hat HPC Solution:
- Based on Fedora 2.x Fedora packages, so nagios package by default only allow access from localhost and requires authentication.
- However, kusu-nagios-config overwrites httpd/conf.d/nagios.conf file in its postinst script to allow access from any host by default and creates user with fixed default password (admin:admin).  This default user name and password is documented in HPC installation guide, but it seems to lack instructions on how to change this default.

http://www.redhat.com/docs/en-US/hpc/

Comment 4 Tomas Hoger 2009-07-01 12:09:00 UTC
CVE-2009-2288:
statuswml.cgi in Nagios before 3.1.1 allows remote attackers to
execute arbitrary commands via shell metacharacters in the (1) ping or
(2) Traceroute parameters.

Comment 6 errata-xmlrpc 2009-07-02 20:29:44 UTC
This issue has been addressed in following products:

  Red Hat HPC Solution for RHEL 5

Via RHSA-2009:1141 https://rhn.redhat.com/errata/RHSA-2009-1141.html

Comment 7 Fedora Update System 2009-07-07 14:49:03 UTC
nagios-2.12-6.el4 has been submitted as an update for Fedora EPEL 4.
http://admin.fedoraproject.org/updates/nagios-2.12-6.el4

Comment 8 Fedora Update System 2009-07-07 14:49:10 UTC
nagios-2.12-6.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/nagios-2.12-6.el5

Comment 9 Fedora Update System 2009-07-09 05:42:13 UTC
nagios-2.12-6.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2009-07-09 05:42:23 UTC
nagios-2.12-6.el4 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.