EGI CSIRT:Alerts/nagios-09-07-2009
Jump to navigation
Jump to search
| Mission | Members | Contacts
| Incident handling | Alerts | Monitoring | Security challenges | Procedures | Dissemination
======================================================================== EGEE Operational Security Coordination Team Topic: Alert on the Nagios statuswml.cgi remote command execution Date: July 9th 2009 URL: http://cern.ch/osct/alerts/nagios-09-07-2009.txt Background ---------- Nagios is a powerful monitoring system that enables organizations to identify and resolve IT infrastructure problems before they affect critical business processes [1]. At the context of the EGEE, Nagios is used as the supplemental part of the EGEE SA1 OAT monitoring suite [2] (with the own version of Nagios that is supplied by the OAT repositories [3]), but it is not unusual for an EGEE site to run own Nagios instance for the fabric monitoring. Vulnerability description ------------------------- It was discovered (see [4] and [5]) that WAP/WML interface (statuswml.cgi) allows authorized users to run arbitrary commands in the context of the Nagios Web server process; this vulnerability exists due to the lack of input sanitizing before running external commands like 'ping' and 'traceroute'. The vulnerability was fixed in the vendor version 3.1.1 [6]. Vulnerability impact -------------------- Any user who is authorized to access statuswml.cgi can run arbitrary commands as the Web server user. In the context of EGEE SA1 OAT monitoring suite, authorization is given by means of checking if user's X.509 certificate is issued by one of the recognized certification authorities and testing if user belongs to one of the virtual organizations that are authorized to view the Nagios data for the particular Nagios OAT installation (VOS parameter in YAIM configuration). This means that virtually any entity possessing valid certificate from one of the IGTF-accredited certification authorities and having membership in one of the supported virtual organizations can exploit this vulnerability. We can not say how authorization works in other Nagios installations, because it is up to the site, but in default configuration, access to the WAP/WML interface requires the same level of authorization as the read-only access to the main Nagios status pages. OSCT recommendations -------------------- OSCT recommends to upgrade Nagios to the version >= 3.1.1 if it is possible. The latest Nagios releases (3.0.6-1.el4.rf.4.oat and 3.0.6-1.el5.rf.4.oat) supplied by the EGEE SA1 OAT repositories at http://www.sysadmin.hep.ac.uk/rpms/egee-SA1/sl4/ http://www.sysadmin.hep.ac.uk/rpms/egee-SA1/sl5/ also have a workaround for this issue -- they just contain no WAP/WML interface CGI. Users of these repositories should receive the fixes automatically with the update of OAT metapackage egee-NAGIOS to the version 1.0.0-26. The said Nagios release from the EGEE SA1 OAT repositories can also be used for non-EGEE monitoring, since popular third-party repositories (for example, DAG RPMs) still have the vulnerable version. Repository configurations for YUM can be obtained from http://www.sysadmin.hep.ac.uk/rpms/egee-SA1/sl4/egee-SA1.repo http://www.sysadmin.hep.ac.uk/rpms/egee-SA1/sl5/egee-SA1.repo for RHEL (and compatibles), versions 4 and 5 respectively. In order to prevent the users to access the vulnerable statuswml.cgi script OSCT recommends to deny any access to the said CGI script until Nagios instance will be upgraded to the non-vulnerable version. For users running Nagios Web interface with Apache httpd server, the simplest configuration that fully denies the access is the following one: <Files statuswml.cgi> Order allow,deny Deny from all </Files> This block should be placed to the 'Directory' contained that corresponds to the Nagios cgi-bin directory. Please, consult the corresponding manuals to understand how to block access to the mentioned CGI script for the Web server software other than Apache httpd. References ---------- [1] http://www.nagios.org/ [2] https://twiki.cern.ch/twiki/bin/view/EGEE/GridMonitoringNcgYaim [3] http://www.sysadmin.hep.ac.uk/rpms/egee-SA1/ [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2288 [5] http://www.securityfocus.com/bid/35464/ [6] http://www.nagios.org/development/history/core-3x/ ========================================================================
Source
Parts of this article came from the OSCT wiki, this was written by the EGEE Operational Security Coordination Team. |