Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 476538 (CVE-2013-4114) - <net-analyzer/nagstamon-0.9.11_rc1: User credentials exposure (CVE-2013-4114)
Summary: <net-analyzer/nagstamon-0.9.11_rc1: User credentials exposure (CVE-2013-4114)
Status: RESOLVED FIXED
Alias: CVE-2013-4114
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://nagstamon.ifw-dresden.de/docs/...
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-07-11 13:19 UTC by Ewoud Kohl van Wijngaarden
Modified: 2014-01-06 22:24 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
nagstamon-0.9.10.ebuild (nagstamon-0.9.10.ebuild,936 bytes, text/plain)
2013-07-23 09:38 UTC, Ewoud Kohl van Wijngaarden
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Ewoud Kohl van Wijngaarden 2013-07-11 13:19:17 UTC
From $url: Nagstamon prior to version 0.9.10 has a grave security hole built in.

The automatic request to http://nagstamon.sourceforge.net/latest_version_<version> to get update information contained the username and password of one of your monitor servers.  Yes, username and password - in plain base64 text format in the HTTP Basic Auth header.

Reproducible: Always
Comment 1 Chris Reffett (RETIRED) gentoo-dev Security 2013-07-11 21:53:01 UTC
Calling this a B1, since as best I can understand the announcement it's possible to get the remote monitoring (i.e. nagios) user's credentials.
Excerpt: "A remote attacker could use this flaw to obtain user credentials for server monitored by the desktop status monitor due to their improper (base64 encoding based) encoding in the HTTP request."

@maintainers: please ack a stable
Comment 2 Ewoud Kohl van Wijngaarden 2013-07-23 09:38:06 UTC
Created attachment 354002 [details]
nagstamon-0.9.10.ebuild

Since the patch is 92 lines and this is just 43, I didn't upload a patch. Changes are:
* Use distutils-r1.eclass instead of python.eclass
* Link to the new website

This could use some review:
* I'm unsure if the postinst and postrm are still needed. I didn't think so, but couldn't find it in the documentation.
* I'm now installing using setup.py, but this means the resources are duplicated for each python version.

Because of this security leak, I am using this ebuild on my desktop without any issues. If it would help to get this in the tree, I am willing to work on this with a proxy maintainer. (Or would I be the proxy maintainer? Little unclear on the exact terminology.)
Comment 3 Christian Ruppert (idl0r) gentoo-dev 2013-08-24 20:55:04 UTC
Sorry for the delay. Feel free to stabilize 0.9.11_rc1. It works fine for me so I think it's ok to stabilize it.
Comment 4 Sergey Popov gentoo-dev 2013-08-25 14:38:21 UTC
(In reply to Christian Ruppert (idl0r) from comment #3)
> Sorry for the delay. Feel free to stabilize 0.9.11_rc1. It works fine for me
> so I think it's ok to stabilize i

Arches, please test and mark stable =net-analyzer/nagstamon-0.9.11_rc1

Target keywords: amd64 x86
Comment 5 Sergey Popov gentoo-dev 2013-08-25 14:39:21 UTC
(In reply to Ewoud Kohl van Wijngaarden from comment #2)
> Created attachment 354002 [details]
> nagstamon-0.9.10.ebuild
> 
> Since the patch is 92 lines and this is just 43, I didn't upload a patch.
> Changes are:
> * Use distutils-r1.eclass instead of python.eclass
> * Link to the new website
> 
> This could use some review:
> * I'm unsure if the postinst and postrm are still needed. I didn't think so,
> but couldn't find it in the documentation.
> * I'm now installing using setup.py, but this means the resources are
> duplicated for each python version.
> 
> Because of this security leak, I am using this ebuild on my desktop without
> any issues. If it would help to get this in the tree, I am willing to work
> on this with a proxy maintainer. (Or would I be the proxy maintainer? Little
> unclear on the exact terminology.)

Post your ebuild improvements in separate bug, please. This bug about security issue
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2013-08-27 03:23:35 UTC
CVE-2013-4114 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4114):
  The automatic update request in Nagstamont before 0.9.10 uses a cleartext
  base64 format for transmission of a username and password, which allows
  remote attackers to obtain sensitive information by sniffing the network.
Comment 7 Agostino Sarubbo gentoo-dev 2013-08-28 10:27:26 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-08-28 10:27:42 UTC
x86 stable
Comment 9 Sergey Popov gentoo-dev 2013-08-30 09:55:35 UTC
Thanks to all. GLSA request filed
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2014-01-06 20:04:51 UTC
This issue was resolved and addressed in
 GLSA 201401-03 at http://security.gentoo.org/glsa/glsa-201401-03.xml
by GLSA coordinator Sergey Popov (pinkbyte).
Comment 11 Ewoud Kohl van Wijngaarden 2014-01-06 21:05:54 UTC
Not sure if this is the right place to report, but in the GLSA it states vulnerable versions is >= 0.9.11_rc1, but I think this should be <=. Also there is a workaround by disabling checks for newer versions.
Comment 12 Sergey Popov gentoo-dev 2014-01-06 22:24:19 UTC
(In reply to Ewoud Kohl van Wijngaarden from comment #11)
> Not sure if this is the right place to report, but in the GLSA it states
> vulnerable versions is >= 0.9.11_rc1, but I think this should be <=. Also
> there is a workaround by disabling checks for newer versions.

Indeed, that's a mistake, new GLSA revision rolled out.  Updated version will soon be on glsa.gentoo.org
Update instructions does not changed, so, as per our policy - no republication or erratum is needed.