Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 04 Sep 2013 13:45:33 +0200
From: Jonas Meurer <jonas@...esources.org>
To: Andreas Ericsson <ae@....se>
Cc: oss-security@...ts.openwall.com, nagios-devel@...ts.sourceforge.net,
 Vincent Danen <vdanen@...hat.com>, Kurt Seifried <kseifried@...hat.com>,
 contribute@...ios.org
Subject: Re: Security bug or feature? Servicegroups leak hostnames to unauthorized users (Was: CVE request: unauthorized host/service views displayed in servicegroup view)

Am 2013-09-04 11:03, schrieb Andreas Ericsson:
> On 2013-09-04 10:31, Jonas Meurer wrote:
>> Hey list and fellow Nagios developers,
>> 
>> as you might have noticed, there's a discussion ongoing on 
>> oss-security[1]
>> regarding bug report #456[2].
>> 
>> I'm the one who discovered the described issue, and I still believe 
>> that
>> it's a bug with security implications, even though not everyone seems 
>> to
>> be convinced.
>> 
>> I'll try to give a brief description of the issue:
>> 
>> The Nagios status.cgi (at all 3.4* and 4.0* versions I checked) leaks
>> hostnames to unauthorized users as part of servicegroups. All of
>> servicegroup overview, summary and grid list each and every hostname 
>> that
>> is part of a servicegroup, regardless whether the HTTP user is listed 
>> in
>> contacts/contactgroups for this host.
>> 
>> In my opinion this is a security issue - at least on multi-user (e.g.
>> multi-customer) Nagios-setups. I guess that most ISPs which give their
>> customers access to the Nagios CGIs don't want to provide a full list
>> of monitored hosts to their customers as a side-effect.
>> 
>> One reason for confusion is the following entry from Nagios3 
>> changelog[3]:
>> 
>> 3.4.0 - 05/04/2012
>> ENHANCEMENTS
>> [...]
>> - Users can now see hostgroups and servicegroups that contain at least
>>    one host or service they are authorized for, instead of having to
>>    be authorized for them all (Ethan Galstad)
>> 
>> 
>> The indisputable part of this change is, that users are allowed to see
>> hostgroups and servicegroups with at least one authorized host or
>> service. Unclear is, whether this means "group and all its group
>> members", or "group and only authorized group members".
>> 
> 
> It should mean "group and only authorized group members, except also
> hosts for services where one is authorized to see the service".

Ok, so if this was intended, then there indeed is a bug.

>> You can find my patch at the Nagios Issue Tracker.
> 
> Ah, right. Care to provide a link? Mostly, I prefer to get patches to
> this mailing list, since I don't spend a lot of time hunting them down
> from the (underused) tracker.

Sure, my original mail already had it as footnote. Here you find patches
for Nagios 3.4.4 and 4 (master from 26.06.2013):

http://tracker.nagios.org/view.php?id=456

>> A comment about this issue by the Nagios Developers whould be highly
>> appreciated. In case that the described (and critizised) behaviour of
>> status.cgi is intended, the distribution security teams can move on.
>> 
> 
> Well, it *was* by design, but now I'm changing the design. It's a good
> time for it, since 4.0 is about to come out. I think the security teams
> can move on and we'll consider this "changed" rather than "fixed" for
> 4.0, where we do some security tightening.

At least when I checked last (26.06.2013), Nagios 4 was still affected
by the bug. Did you change the way status.cgi checks for authentication
in the meantime?

Kind regards,
  jonas

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.