Bug 983673 - (CVE-2013-4114) CVE-2013-4114 nagstamon: Monitor server user credentials exposure in automated requests to get update information
CVE-2013-4114 nagstamon: Monitor server user credentials exposure in automate...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
urgent Severity urgent
: ---
: ---
Assigned To: Red Hat Product Security
impact=critical,public=20130711,repor...
: Security
Depends On: 983675
Blocks:
  Show dependency treegraph
 
Reported: 2013-07-11 12:59 EDT by Jan Lieskovsky
Modified: 2013-08-12 21:04 EDT (History)
3 users (show)

See Also:
Fixed In Version: Nagstamon-0.9.10
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-07-16 02:12:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Gentoo 476538 None None None Never

  None (edit)
Description Jan Lieskovsky 2013-07-11 12:59:39 EDT
An user details information exposure flaw was found in the way Nagstamon, Nagios status monitor for desktop, performed automated requests to get information about available updates. Remote attacker could use this flaw to obtain user credentials for server monitored by the desktop status monitor due to their improper (base64 encoding based) encoding in the HTTP request, when the HTTP Basic authentication scheme was used.

References:
[1] http://nagstamon.ifw-dresden.de/docs/security/
Comment 1 Jan Lieskovsky 2013-07-11 13:02:09 EDT
This issue affects the versions of the nagstamon package, as shipped with Fedora release of 18 and 19. Please schedule an update.
Comment 2 Jan Lieskovsky 2013-07-11 13:02:52 EDT
Created nagstamon tracking bugs for this issue:

Affects: fedora-all [bug 983675]
Comment 3 Jan Lieskovsky 2013-07-11 13:08:35 EDT
CVE Request:
  http://www.openwall.com/lists/oss-security/2013/07/11/3
Comment 4 Jan Lieskovsky 2013-07-12 05:41:56 EDT
The CVE identifier of CVE-2013-4114 has been assigned to this issue:
  http://www.openwall.com/lists/oss-security/2013/07/11/7
Comment 5 Jan Lieskovsky 2013-07-12 06:15:33 EDT
Reply from Henry Wahl of nagstamon upstream regarding the fix availability for 0.9.9 version:

Hi,
For those who want to fix a 0.9.9 package there is an updated version at
Github:
https://github.com/HenriWahl/Nagstamon/tree/0.9.9.1 .
Anyway it is a better idea to upgrade to 0.9.10.

Regards
Henri


-- 
Henri Wahl

IT Department
Leibniz-Institut für Festkoerper- u.
Werkstoffforschung Dresden
Comment 6 Nikita Klimov 2013-07-12 06:26:20 EDT
Hi,
I'm nagstamon maintainer. Updated version without security hole available in updates-testing repo, for update:

yum --enablerepo=updates-testing update nagstamon

It's actual for Fedora 18 and 19.  I'll update nagstamon to 0.9.10 after updates, that's now in testing, will be pushed to updates stable repo.

Note You need to log in before you can comment on or make changes to this bug.