Bugzilla – Bug 856837
VUL-1: CVE-2013-7108: nagios / icinga: denial of service in Nagios (process_cgivars())
Last modified: 2017-12-19 15:10:46 UTC
CVE-2013-7108 via oss-sec Could a CVE be assigned to the following flaw? A flaw was reported and fixed in Nagios, which can be exploited to cause a denial of service. This vulnerability is caused due to an off-by-o ne error within the process_cgivars() function, which can be exploited to cause an out-of-bounds read by sending a specially-crafted key value to the Nagios web UI. References: https://secunia.com/advisories/55976/ http://sourceforge.net/p/nagios/nagioscore/ci/d97e03f32741a7d851826b03ed73ff4c9612a866/ https://bugs.gentoo.org/show_bug.cgi?id=495132 https://bugzilla.redhat.com/show_bug.cgi?id=1046113 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7108 http://comments.gmane.org/gmane.comp.security.oss.general/11739
Only a cross reference (not saying it should get the same CVE): This seems to be the equivalent to the icinga issue [1], which got CVE-2013-7108. [1] https://dev.icinga.org/issues/5251
> http://sourceforge.net/p/nagios/nagioscore/ci/d97e03f32741a7d851826b03ed73ff4c9612a866/ Relative to CVE-2013-7108, Nagios changed two files that Icinga did not change. If the additional changes are vulnerability fixes, we will assign two more CVE IDs. (The vulnerability types would not be the same.) We are currently coordinating with Icinga upstream on this. In any case, CVE-2013-7108 will represent a set of off-by-one error issues that are common to Icinga and Nagios, and were all announced at the same time. CVE-2013-7108 is not specific to only Icinga.
From: cve-assign@mitre.org > Can you please advise if any additional CVE(s) will be assigned to > this commit in Nagios then? The situation is a bit complicated but it appears that the best choice is to add one CVE assignment. As mentioned in the http://openwall.com/lists/oss-security/2013/12/16/4 post, CVE-2013-7108 is for the https://dev.icinga.org/issues/5251 report. This mentions specific affected Icinga files. The issue in the same files in Nagios has this same CVE ID. Nagios changed two other files. The first file is contrib/daemonchk.c. This is a fix for the same type of off-by-one issue covered by CVE-2013-7108, but it was announced at a different time and therefore is assigned a different CVE ID, CVE-2013-7205 for Nagios. Our information from Icinga upstream is that the contrib/daemonchk.c code isn't exposed to untrusted input with the Icinga distribution as shipped, and would only be exposed if the user decides to change the build/installation process. Therefore, Icinga upstream is not accepting this as an Icinga vulnerability. Another observation about contrib/daemonchk.c is that the process_cgivars function apparently accomplishes nothing, and the call and the code itself (with the originally erroneous length checking) could perhaps just be omitted, because the variables[x] values are never used. However, later use of the variables[x] values is irrelevant to the reported attack possibility. The second file is cgi/statuswml.c. Here, the Nagios commit adds a block of new code -- this isn't an off-by-one change like the other cases. As far as we can tell, this block of new code doesn't correct any exploitable vulnerability and thus there won't be any associated CVE ID. The code might be a good idea for consistency reasons, but we didn't notice any viable attack that would involve long variables[x] values. Finally (although it's not directly relevant to CVE assignment), Icinga does not use the cgi/statuswml.c code and is no longer even shipping it. - -- CVE assignment team, MITRE CVE Numbering Authority
nagios webui is probably post-auth, so not that terribly important to update
(somehow we did not spot this for icinga. also needs to be fixed if necessary ;)
Patched Nagios packages submitted for: * openSUSE 12.2 * openSUSE 12.3 * openSUSE 13.1 * openSUSE Factory * SLES 9 * SLES 10 SP3 * SLES 11 SP3 Description: This update fixes CVE-2013-7108, in which the Nagios CGIs can be exploited to cause a denial of service. This vulnerability is caused due to an off-by-o ne error within the process_cgivars() function, which can be exploited to cause an out-of-bounds read by sending a specially-crafted key value to the Nagios web UI.
Re-assigning to Icinga maintainer.
openSUSE-SU-2014:0016-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 856837 CVE References: CVE-2013-7108 Sources used: openSUSE 13.1 (src): nagios-3.5.1-3.5.1 openSUSE 12.3 (src): nagios-3.5.0-2.14.1 openSUSE 12.2 (src): nagios-3.5.0-2.23.1
The SWAMPID for this issue is 55641. This issue was rated as moderate. Please submit fixed packages until 2014-01-20. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
Icinga does have a second fix which wasn't included in the sr (fix possible buffer overflows CVE-2013-7106): https://dev.icinga.org/issues/5250
Updated Icinga and submitted requests for 12.3, 13.1 and Factory. Reassigning.
thx. Is the SLE11 submit also for SP2 and SP3?
openSUSE-SU-2014:0039-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 856837 CVE References: CVE-2013-7108 Sources used: openSUSE 11.4 (src): nagios-3.2.3-3.30.1
This is an autogenerated message for OBS integration: This bug (856837) was mentioned in https://build.opensuse.org/request/show/213342 12.3 / nagios-rpm-macros
openSUSE-SU-2014:0069-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 851619,856837 CVE References: CVE-2013-7108 Sources used: openSUSE 13.1 (src): icinga-1.10.2-4.6.1
openSUSE-SU-2014:0097-1: An update that solves one vulnerability and has two fixes is now available. Category: security (moderate) Bug References: 834828,851619,856837 CVE References: CVE-2013-7108 Sources used: openSUSE 12.3 (src): icinga-1.10.2-2.4.1, nagios-rpm-macros-0.08-2.8.1
released
Update released for: nagios, nagios-debuginfo, nagios-debugsource, nagios-devel, nagios-www Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP3 (i386, x86_64)
Update released for: nagios, nagios-debuginfo, nagios-debugsource, nagios-devel, nagios-www Products: SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP2 (i386, x86_64)
Update released for: nagios, nagios-debuginfo, nagios-www Products: SLE-SERVER 10-SP3-TERADATA (x86_64)
Update released for: nagios, nagios-www Products: SUSE-CORE 9-SP3-TERADATA (x86_64)
Update released for: nagios, nagios-debuginfo, nagios-debugsource, nagios-devel, nagios-www Products: SLE-SERVER 11-SP1-TERADATA (x86_64)
SUSE-SU-2014:0156-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 856837 CVE References: CVE-2013-7108 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): nagios-3.0.6-1.25.34.1 SUSE Linux Enterprise Software Development Kit 11 SP2 (src): nagios-3.0.6-1.25.34.1 SUSE Linux Enterprise Server 11 SP3 for VMware (src): nagios-3.0.6-1.25.34.1 SUSE Linux Enterprise Server 11 SP3 (src): nagios-3.0.6-1.25.34.1 SUSE Linux Enterprise Server 11 SP2 for VMware (src): nagios-3.0.6-1.25.34.1 SUSE Linux Enterprise Server 11 SP2 (src): nagios-3.0.6-1.25.34.1
This is an autogenerated message for OBS integration: This bug (856837) was mentioned in https://build.opensuse.org/request/show/558566 Factory / icinga