Bug 817488 - (CVE-2012-2147) CVE-2012-2147 munin: DoS (excessive memory / storage usage) via crafted image dimensions present in query string
CVE-2012-2147 munin: DoS (excessive memory / storage usage) via crafted image...
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20120417,repor...
: Security
Depends On: 812893 812894
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-30 05:08 EDT by Jan Lieskovsky
Modified: 2015-07-31 02:55 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-07-31 02:55:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2012-04-30 05:08:12 EDT
A denial of service flaw was found in the way Munin, a network-wide graphing framework honoured certain query string parameters when retrieving image files. If a remote attacker issued a repeated HTTP GET (image obtain) query with specially-crafted image dimensions being present in the query string, each time with the unique image file name, to be retrieved, being present in the query, it could lead to denial of service (excessive memory and storage use by the particular munin CGI script).

References:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670811#14

CVE assignment:
[2] http://www.openwall.com/lists/oss-security/2012/04/29/2

Reproducers:
a) common reproducer to obtain an existing image and store it into
   Munin's cache:
   printf 'GET /cgi-bin/munin-cgi-graph/localdomain/localhost.localdomain/vmstat-day.png?foo HTTP/1.0\r\nHost: localhost\r\nConnection: close\r\n\r\n' | nc localhost 80

b) reproducer for excessive memory / storage usage (previous part
   is same as in case a) ):
   ..png?size_x=20000&size_y=20000&uniquestuff
Comment 1 Jan Lieskovsky 2012-04-30 05:10:41 EDT
This issue affects the versions of the munin package, as shipped with Fedora release of 15 and 16.

This issue affects the versions of the munin package, as shipped with Fedora EPEL 5 and Fedora EPEL 6.
Comment 2 Jan Lieskovsky 2012-04-30 05:12:04 EDT
Created munin tracking bugs for this issue

Affects: fedora-all [bug 812893]
Affects: epel-all [bug 812894]
Comment 3 d. johnson 2012-04-30 11:02:27 EDT
Is this the same as the bugid mentioned in http://munin-monitoring.org/changeset/4825 ?
Comment 4 Jan Lieskovsky 2012-04-30 11:27:54 EDT
(In reply to comment #3)
> Is this the same as the bugid mentioned in
> http://munin-monitoring.org/changeset/4825 ?

The http://munin-monitoring.org/changeset/4825 changeset seems to be fixing this:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668667 thus /tmp filesystem exhaustion due to original reproducer:

printf 'GET /cgi-bin/munin-cgi-graph/localdomain/localhost.localdomain/vmstat-day.png?foo HTTP/1.0\r\nHost: localhost\r\nConnection: close\r\n\r\n' | nc localhost 80

But as noted in Steve's OSS reply:
http://www.openwall.com/lists/oss-security/2012/04/27/7

the memory usage should be different (yet another issue). Yes, r4825 once applied wouldn't allow to exhaust / fill in /tmp filesystem via CGI request for unique file names. But if I got the memory usage report:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670811#14

correctly even after disabling caching of files, it should be possible to cause memory use DoS (that's why I didn't mention r4825 here [see Steve's comment: 

As Helmut noticed, there is already a size cap in rrd, so do I still
need implement one in munin ? If yes, would you mind to file another
bugreport (for RAM exhaustion) ? ]).
Comment 5 Kevin Fenzi 2012-05-18 17:36:48 EDT
So, where are we here? 

We should apply changeset 4825 to fix this issue, but look for another issue related to the memory usage (which has not yet been filed or fixed?)?
Comment 6 d. johnson 2012-05-18 19:41:04 EDT
This report matches a different branch than Fedora/EPEL ship.

It matches: http://munin-monitoring.org/browser/trunk/master/_bin/munin-cgi-graph.in  (Currently rev4853)

Fedora/EPEL use: http://munin-monitoring.org/browser/tags/1.4.7/master/_bin/munin-cgi-graph.in  (Currently rev3960)

The reported URL says:

Found in version munin/2.0~rc4-1
Fixed in version munin/2.0~rc6-1


Does this CVE apply to 1.4 ?

Note You need to log in before you can comment on or make changes to this bug.