Bug 885207 (CVE-2014-4702) - VUL-1: CVE-2014-4702: nagios-plugins: check_icmp Arbitrary Option File Read
Summary: VUL-1: CVE-2014-4702: nagios-plugins: check_icmp Arbitrary Option File Read
Status: RESOLVED FIXED
Alias: CVE-2014-4702
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Minor
Target Milestone: ---
Deadline: 2014-10-30
Assignee: Martin Caj
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/103105/
Whiteboard: maint:released:sle11-sp3:59255 CVSSv2...
Keywords:
Depends on:
Blocks:
 
Reported: 2014-07-01 08:27 UTC by Victor Pereira
Modified: 2016-09-08 22:20 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2014-07-01 08:27:34 UTC 
Similar to the CVE-2014-4701 issue in the check_dhcp plug-in, the same flaw was found to affect check_icmp. A local attacker could obtain sensitive information by using this flaw to read parts of INI configuration files that belong to the root user.


As stated on nagios-plugins-README.SuSE-check_icmp, SUSE doesn't set the setuid bit as default. Therefore we aren't affected. 


References:
http://seclists.org/oss-sec/2014/q2/709
https://bugzilla.redhat.com/show_bug.cgi?id=1114841
Comment 1 Lars Vogdt 2014-07-01 14:36:15 UTC 
Well, to be honest: if you want to run this check in production, your have to run the check via setuid root (or use sudo, which is also recommended in the README).

We already ship apparmor profiles for
* check_dhcp 
* check_ntp_time
But - for compatibly reasons - we do not enable them on SLE, just on openSUSE.

I like to suppose (especially as Upstream has not yet provided a final fix) to switch to an enforce mode for those two checks and also add the apparmor profiles for check_icmp here, to cover all setuid root checks.

BUT: if we enable the apparmor profiles, customers have to add their configuration files to the profiles (and we should really inform the users about this change). But this should help with this bug.

What do you think:
* wait for an upstream fix (a complete one - or take the current one?)
* enable apparmor for those profiles?
Comment 2 Lars Vogdt 2014-07-31 16:43:37 UTC 
@Martin: as I'm on vacation, can you please take a look?
Comment 3 Johannes Segitz 2014-08-01 10:38:08 UTC 
We have to wait for an upstream fix since we can't assume everyone runs apparmor in enforcing mode or at all.
Comment 4 Martin Caj 2014-08-06 09:14:29 UTC 
HI Johannes,
I investigate it with fallowing results :

The fix for the vulnerability with SUID binaries (check_icmp, check_dhcp) has been fix in nagios-plugins the the upstream version 2.0.2. Now nagios-plugins has new version 2.0.3

I also spoke about it with community behind Monitoring Plugins project (https://www.monitoring-plugins.org ) about the vulnerability. The version 2.0 (latest stable) should be not effected.

My question is where is fix should be done ?
are we talking about OpenSUSE build repository server:monitoring ?
are we talking about update for SLE-11-SP3 or for OpenSUSE ?
 
Martin
Comment 5 Johannes Segitz 2014-08-07 08:10:50 UTC 
In my view it's sufficient to just fix it in its development project since we're not shipping it setuid and it's a minor issue.
Comment 6 Victor Pereira 2014-08-29 08:50:06 UTC 
Hi,
we are shipping it without setuid, but as Lars already said, in the comment #c1, to actually run it, you should run it either with setuid or sudo. So as discussed now with Marcus, this should be fixed on SLE-11-SP3 and OpenSUSE. Is that possible to backport the patch?
Comment 10 SMASH SMASH 2014-10-01 22:50:17 UTC 
Affected packages:

SLE-11-SP3: nagios-plugins
SLE-11-SP3-PRODUCTS: nagios-plugins
SLE-11-SP3-UPTU: nagios-plugins
Comment 11 Swamp Workflow Management 2014-10-02 07:33:19 UTC 
An update workflow for this issue was started.
This issue was rated as low.
Please submit fixed packages until 2014-10-30.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/59247
Comment 12 Christian Boltz 2014-10-10 21:17:37 UTC 
(In reply to Lars Vogdt from comment #1)
> I like to suppose (especially as Upstream has not yet provided a final fix)
> to switch to an enforce mode for those two checks and also add the apparmor
> profiles for check_icmp here, to cover all setuid root checks.
> 
> BUT: if we enable the apparmor profiles, customers have to add their
> configuration files to the profiles (and we should really inform the users
> about this change). But this should help with this bug.

Samba uses a script to auto-generate an AppArmor profile sniplet based on the configuration (it allows access to all configured shares).

Would something like that also make sense for nagios?
Comment 13 Swamp Workflow Management 2014-11-03 23:05:08 UTC 
SUSE-SU-2014:1352-1: An update that fixes two vulnerabilities is now available.

Category: security (low)
Bug References: 885205,885207
CVE References: CVE-2014-4701,CVE-2014-4702
Sources used:
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    nagios-plugins-1.4.16-0.13.1
SUSE Linux Enterprise Server 11 SP3 (src):    nagios-plugins-1.4.16-0.13.1
Comment 14 Martin Caj 2015-02-20 09:35:43 UTC 
An update for nagios-plugins-1.4.16-0.13.1 that fixes two vulnerabilities was publish see:

CVE References: CVE-2014-4701,CVE-2014-4702
Bug References: 885205,885207