Bug 1517341 (CVE-2017-16834) - CVE-2017-16834 pnp4nagios: privilege escalation via insecure permissions
Summary: CVE-2017-16834 pnp4nagios: privilege escalation via insecure permissions
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2017-16834
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1517344
Blocks: 1517347
TreeView+ depends on / blocked
 
Reported: 2017-11-24 15:59 UTC by Adam Mariš
Modified: 2019-09-29 14:26 UTC (History)
7 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2017-11-30 16:18:29 UTC
Embargoed:

Attachments (Terms of Use)

Description Adam Mariš 2017-11-24 15:59:56 UTC 
PNP4Nagios through 0.6.26 has /usr/bin/npcd and npcd.cfg owned by an unprivileged account but root code execution depends on these files, which allows local users to gain privileges by leveraging access to this unprivileged account.

References:

https://github.com/lingej/pnp4nagios/issues/140
http://www.openwall.com/lists/oss-security/2017/11/16/1
Comment 1 Adam Mariš 2017-11-24 16:00:37 UTC 
Created pnp4nagios tracking bugs for this issue:

Affects: epel-all [bug 1517344]
Comment 2 Siddharth Sharma 2017-11-30 16:18:29 UTC 
Analysis:

spec file used to build this package for Red Hat Gluster Storage 3 contains following line:

sed -i -e 's/^INSTALL_OPTS="-o $nagios_user -g $nagios_grp"/INSTALL_OPTS=""/' \

which should remove 'nagios' as default user and group on further check it was observed 
1. /etc/pnp4nagios is owned by root
2. /usr/sbin/npcd is owned by root
3. /etc/pnp4nagios/nagios.cfg is owned by root

default 'nagios' user cannot edit /etc/pnp4nagios/nagios.cfg as its owned by root.
Note You need to log in before you can comment on or make changes to this bug.