I got this mail on oss-security today:
We need two CVE id's for the Nagios project.
Low-privileged users can create a custom form (or use a browser
addon) to bypass authorization and submit commands to the nagios
process that causes other programs to be run with the privileges
of the Nagios process.
Fixed in Nagios 3.0.5.
Cross-Site Request Forgery allows remote attackers to submit
commands to the nagios process, thereby causing programs to run
on the Nagios server with the privileges of the Nagios process.
Patch available at
We already have 3.0.5 in tree (unstable). I do not have further information about 2.x, but we can fix 3.x before we know more about 2.x.
I only give it a severity of B2 because you need to have created a low-privileged user; not just everyone can exploit the server. Other opinions/better information on the bugs is welcome.
(In reply to comment #1)
> I only give it a severity of B2 because you need to have created a
> low-privileged user; not just everyone can exploit the server. Other
> opinions/better information on the bugs is welcome.
- For Nagios-3 the issue is partially solved with 3.0.5, additional patches are available which implement a basic session handling. These are (unoffically) available as 3.0.5p1, I'd like to wait for Ethan Galstad to make this an offical release (which should happen soonish).
- For Nagios-2 I asked for feedback on the Nagios devel mailinglist , it is (partially) affected as well. Some patches are available, session handling isn't backported (yet?). I'd like to wait for more official patches or a new release as well.
Having a fixed Nagios-3 version marked as stable for this bug is not an option for now, so we would need to fix Nagios-2 (but other distributions will need to as well).
white from Debian passed us this on IRC (#oss-sec):
10:10:38 <white> rbu: our nagios3 maintainer came up with this backported patch http://www.formorer.de/~formorer/nagios-security.patch2
10:10:47 <white> rbu: in case your maintainer wants to have a look as well
10:10:09 <white> eugene_: i am sure redhat might find the patch useful as well, maybe you want to forward it? I am afraid there is none for nagios2 yet, but IMHO it's not that severe in nagios2
The Nagios process in (1) Nagios before 3.0.5 and (2) op5 Monitor before 4.0.1 allows remote authenticated users to bypass authorization checks, and trigger execution of arbitrary programs by this process, via an (a) custom form or a (b) browser addon.
Cross-site request forgery (CSRF) vulnerability in cmd.cgi in (1) Nagios 3.0.5 and (2) op5 Monitor before 4.0.1 allows remote attackers to send commands to the Nagios process, and trigger execution of arbitrary programs by this process, via unspecified HTTP requests.
ping, please bump.
(In reply to comment #5)
> ping, please bump.
pong, i mailed Ethan Galstad to ask if he plans to release new versions somewhat soonish.
(In reply to comment #6)
> (In reply to comment #5)
> > ping, please bump.
> pong, i mailed Ethan Galstad to ask if he plans to release new versions
> somewhat soonish.
no feedback yet - i added nagios-core-3.0.5-r1 which includes the patch by Andreas Ericsson for CVE-2008-5028.
I just bumped to 3.0.6 which has been released some hours ago, according to the ChangeLog this version does also contain those fixes (not using the patch we had in 3.0.5-r1).
3.0.6 - 12/01/2008
* Fix for CGI submission of external commands (writing newlines and
submitting service comments)
I plan to get nagios-3 ebuilds marked stable in early january (30 days from now on).
I found the following thread rather confusing than illuminating, but it explains the provenance of these CVEs:
(In reply to comment #9)
> I found the following thread rather confusing than illuminating, but it
> explains the provenance of these CVEs:
17:40 < dertobi123> rbu: nice discussion on that nagios foo ...
17:41 < dertobi123> looks like we'll need to wait for 3.0.7 which finally includes the fixes by andreas ericsson ...
17:41 * dertobi123 wondered why those weren't included in 3.0.6 ...
Any news on Nagios 3.0.7 ?
(In reply to comment #11)
> Any news on Nagios 3.0.7 ?
no, and still no reply to my mail sent to Ethan Galstad. *sigh*
How about a fixed 3.0.6 ebuild, then? Or, how about a fixed 2.12 ebuild?
Many people are using this software on production networks and really would prefer not have security issues like this outstanding when there is a (mostly) known fix.
When can we expect to see a resolution on this?