Bugzilla – Bug 1014637
VUL-0: CVE-2016-9566: nagios,icinga: Privilege escalation issue
Last modified: 2024-05-14 08:30:06 UTC
https://github.com/NagiosEnterprises/nagioscore/commit/c29557dec91eba2306f5fb11b8da4474ba63f8c4 +* Fixed another root privilege escalation (CVE-2016-9566) Thanks for bringing this to our attention go to Dawid Golunski (http://legalhackers.com). also https://bugzilla.redhat.com/show_bug.cgi?id=1402869 (It is hard to see if debug_file or log_file can be outside of root owned directories... the default should not be there.)
bugbot adjusting priority
I am contacting upstream about insufficient patch. They do a lot of wrong things when setting up the logfiles.
(In reply to Sebastian Krahmer from comment #2) > I am contacting upstream about insufficient patch. > They do a lot of wrong things when setting up the logfiles. http://seclists.org/oss-sec/2017/q1/17
Just noting that threre is a follow-up commit to https://github.com/NagiosEnterprises/nagioscore/commit/c29557dec91eba2306f5fb11b8da4474ba63f8c4 "Wrong filename variable used" https://github.com/NagiosEnterprises/nagioscore/commit/8e6e1cb29f3c1b933b0e13fb937ad5ca8b448ccc This does not address Sebastian's concerns, however.
icinga took over the insufficient patch from Nagios: https://github.com/Icinga/icinga-core/commit/a0eb8471673b6b1e9b37e1b7b91151aa00bedb65 Additionally they now open the debug log after the privilege drop: https://github.com/Icinga/icinga-core/commit/e0f55bc9b17ef1db9aed7393fc34576a5b9501f0 But there are probably still other code paths that write to the log in root context, as they already stated in their changelog: This bug affects Icinga 1.x only for opening a debug log, or when a config error gets logged on startup.
openSUSE-SU-2017:0146-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1014637,952777 CVE References: CVE-2015-8010,CVE-2016-9566 Sources used: openSUSE Leap 42.2 (src): icinga-1.14.0-4.1 openSUSE Leap 42.1 (src): icinga-1.14.0-3.1
Hi, I see that both MR never did it to our products: Maintenance request 148057 submitted for nagios on SLES-11 (IBS) declined Maintenance request 148058 submitted for nagios on SLES-12 (IBS) declined looking the changes of both packages, I don't see any update.. could you please resubmit it again?
Fixes submitted for: * openSUSE:Backports:SLE-15-SP1:Update * openSUSE:Backports:SLE-15-SP2:Update * openSUSE:Backports:SLE-15-SP3 * openSUSE:Leap:15.2:Update This Nagios upgrade sums up multiple security fixes and other important changes. Security issues fixed in this upgrade: * bsc#1172794 / CVE-2020-13977: Fixed postauth vulnerabilities in histogram.js, map.js, trends.js * bsc#989759 / CVE-2016-6209 : The "corewindow" parameter has been disabled by default * bsc#1014637 / CVE-2016-9566 : Fixed another root privilege escalation * bsc#1182398 : nagios_upgrade.sh writing to log file in user controlled directory Additional fixes: * bsc#1003362 : new nagios-exec-start-post script * Fixed Map display in Internet Explorer 11 * Fixed duplicate properties appearing in statusjson.cgi * Fixed build process when using GCC 10 * Fixed HARD OK states triggering on the maximum check attempt
This is an autogenerated message for OBS integration: This bug (1014637) was mentioned in https://build.opensuse.org/request/show/892196 Backports:SLE-15-SP1 / nagios https://build.opensuse.org/request/show/892197 Backports:SLE-15-SP2 / nagios https://build.opensuse.org/request/show/892198 Backports:SLE-15-SP3 / nagios https://build.opensuse.org/request/show/892199 15.2 / nagios
openSUSE-SU-2021:0715-1: An update that solves two vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 1003362,1014637,1172794,1182398,989759 CVE References: CVE-2016-6209,CVE-2020-13977 JIRA References: Sources used: openSUSE Leap 15.2 (src): nagios-4.4.6-lp152.2.3.1
openSUSE-SU-2021:0735-1: An update that solves two vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 1003362,1014637,1172794,1182398,989759 CVE References: CVE-2016-6209,CVE-2020-13977 JIRA References: Sources used: openSUSE Backports SLE-15-SP2 (src): nagios-4.4.6-bp152.2.3.1
SUSE-SU-2022:3576-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1014637,1156309 CVE References: CVE-2016-9566,CVE-2019-3698 JIRA References: Sources used: SUSE Manager Tools 12 (src): icinga-1.13.3-12.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Looks like the maintenance bot is not working as I expected. Closing here.
SUSE-SU-2024:1629-1: An update that solves two vulnerabilities and contains one feature can now be installed. Category: security (moderate) Bug References: 1014637, 1156309 CVE References: CVE-2016-9566, CVE-2019-3698 Jira References: MSQA-775 Maintenance Incident: [SUSE:Maintenance:33763](https://smelt.suse.de/incident/33763/) Sources used: SUSE Manager Client Tools for SLE 12 (src): grafana-sap-providers-1.1-1.7.1, grafana-sap-netweaver-dashboards-1.0.3+git.1601889366.9f71957-1.10.1, icinga-1.13.3-12.8.1, grafana-ha-cluster-dashboards-1.1.0+git.1605027022.a84d536-1.10.1, hwdata-0.314-10.14.1, zeromq-4.0.4-15.8.1, sysuser-tools-2.0-1.9.1 SUSE Manager Client Tools Beta for SLE 12 (src): grafana-sap-providers-1.1-1.7.1, grafana-sap-netweaver-dashboards-1.0.3+git.1601889366.9f71957-1.10.1, icinga-1.13.3-12.8.1, grafana-ha-cluster-dashboards-1.1.0+git.1605027022.a84d536-1.10.1, zeromq-4.0.4-15.8.1, sysuser-tools-2.0-1.9.1 Advanced Systems Management Module 12 (src): zeromq-4.0.4-15.8.1 Containers Module 12 (src): sysuser-tools-2.0-1.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): sysuser-tools-2.0-1.9.1, grafana-sap-netweaver-dashboards-1.0.3+git.1601889366.9f71957-1.10.1, grafana-ha-cluster-dashboards-1.1.0+git.1605027022.a84d536-1.10.1, grafana-sap-providers-1.1-1.7.1 SUSE Linux Enterprise Software Development Kit 12 SP5 (src): zeromq-4.0.4-15.8.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): sysuser-tools-2.0-1.9.1 SUSE Linux Enterprise Server 12 SP5 (src): sysuser-tools-2.0-1.9.1 SUSE Linux Enterprise Workstation Extension 12 12-SP5 (src): zeromq-4.0.4-15.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.